Amen!
Of course the problem is not the raw technology but European engineering which is
really more like interior decorating. There are two implementations of card PKCS#11,
one Japanese and one American, that put the PKCS#11 API at the card edge; no muss, no
fuss. In fact, one could argue that the token edge is where PKCS#11 should have been
all along so that all its computin' is done inside the secure boundary.
IMHO, as always.
Cheers, Scott
-----Original Message-----
From: Peter Williams [mailto:[EMAIL PROTECTED]
Sent: Mon 3/8/2004 9:55 PM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: [Muscle] Sun PKCS 11 (jdk 1.5) and Muscle
lets be clear: to sign a SSL client authentication message ,we must
1. use NSS API, which maps onto
2. the JCA API, which calls a
3. PKCS11 API card abstraction, which loads a PKCS11 provider, which calls the
MSC API...
4. which translates C calls into CardEdge APDUs, which calls
5. MSC IFD API and its slot management abstraction , which calls
6. the PCSC API for slot/resource and mutex/thread management
7. which loads an IFD driver for the lun and operates the T0/T1 TPDU2APDU
state machine, which
8. wraps the TPDU in either TLP224 or Gemplus T1-like host->reader block
transfer protocol, which
9. interfaces to the USB service access point for a pre-enumated CCID NSAP
10. which on the reader must pass across a transport bridge, via a
host<->controller<->UART A-layer dispatch loop, which adds events to a queue
signalling
11. a T0/T1 protocol state machine handling T1 block or T0 async timeouts on a
7816 UART, which
11.5 pass across either a French or German encoding of bit levels and bit
ordering, which
12. traverses an inverse path up the ICC stack
13. through the javacard OS io drivers (elide several layers)
14. to the applet/APDU dispatch interface...to
15. finally, a method in the CardEdge class (written in Java), which
16. calls the JCA, whose provider invoke a software RSA library - written in C
probably -
17, which makes trusted kernel call to access the 16bit exponentiator
co-processor.
And this is only the Unix path. On Windows, add smartcard API drivers and CAPI
providers...and the interaction between these two
Ever wonder why smartcards dont take off, apart from being a $30 cost per
head??
>From: "Wan-Teh Chang"
>Reply-To: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Re: [Muscle] Sun PKCS 11 (jdk 1.5) and Muscle
>Date: Mon, 8 Mar 2004 17:58:38 -0800
>
>Christian Schneider wrote on 3/8/2004, 2:39 PM:
> > I am currently searching for a java to pkcs#11 mapping. Besides the
> > solution from IBM which does not seem to work with the muscle pkcs#11
> > library I have not found any library.
> >
> > The new solution from sun is probably not yet ready for use. Is there
> > any other good java pkcs#11 interface for muscle?
>
>JSS (http://www.mozilla.org/projects/security/pki/jss/)
>supports PKCS #11 and can be used as a JCA provider.
>
>Portions of JSS are implemented by JNI calls into the
>NSS libraries (http://www.mozilla.org/projects/security/pki/nss/).
>In particular, the management of PKCS #11 modules is
>done in NSS.
>
>Wan-Teh
>_______________________________________________
>Muscle mailing list
>[EMAIL PROTECTED]
>http://lists.musclecard.com/mailman/listinfo/muscle
_____
Store more e-mails with MSN Hotmail Extra Storage â 4 plans to choose from!
<http://g.msn.com/8HMAENUS/2737??PS=> _______________________________________________
Muscle mailing list [EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle
