so, this is the same model as an EMV card, in SDA mode, as recently
installed throughout the UK: check that an issuer's issuing-time signature
on a presented card can be re-validated today by an offline, trusted
host/reader with a trusted store of IA signature validation keys.
Given musclecard's have an ext-auth process (which approxiamate to the EMV's
DDA mode), why cannnot we go one step further, and have the host mutually
authenticate to the card, using a secret ext-auth key that is handled at the
same sensitivity level as the current IA verification keys (plus
confidentiality, obviously)?
From: Matthias Barmeier <[EMAIL PROTECTED]>
Reply-To: MUSCLE <[email protected]>
To: MUSCLE <[email protected]>
Subject: Re: [Muscle] libpam-musclecard
Date: Fri, 18 Nov 2005 10:24:41 +0100
Hi,
Sorry, for the last mail but the README in the Debian package
libpam-musclecard has
an incomplete configuration chapter. The chapter ends with:
--snip--
1. UserCert - the module will look in ~/.muscle/user.cert for the
certificate.
2. RootCert - the module will retreive the certificate from the smartcard
and validate the signature by looking at the RootCA's
certificate in /etc/root.cert. It will also check that the
username corresponds to the username in the certificate.
--snip--
After loading and extracting the MusclePAM.zip from your source I have
a more complete configuration instruction.
Thanx a lot.
Ciao
Matthias
Karsten Ohme schrieb:
>Matthias Barmeier wrote:
>
>
>>Hi again,
>>
>>does anyone out there has a link to a step-by-step guide
>>from having a working muscle card to a working gdm/kdm/?dm login
>>with that card ???
>>
>>
>
>Is the README in MusclePAM not enough?
>
>By the way, the root cert option is not working with this, because a
>tool was missing to generate a certificate signing request. If you need
>this, then look at the version at:
>
>http://web.inf.tu-dresden.de/~ko189283/MuscleCard/
>
>file PAMCardInit, but the other stuff is also a bit different, but
>should compile against libmusclecard, although PIN pad support will be
>missing. Everything should be build running "make" with the contained
>Makefile (At the moment there is no correct autoconf/automake build
>files contained.).
>
>Karsten
>
>
>
>>Ciao
>> Matthias
>>_______________________________________________
>>Muscle mailing list
>>[email protected]
>>http://lists.drizzle.com/mailman/listinfo/muscle
>>
>>
>
>_______________________________________________
>Muscle mailing list
>[email protected]
>http://lists.drizzle.com/mailman/listinfo/muscle
>
>
>
>
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
