On Feb 24, 2010, at 11:07 , Andreas Jellinghaus wrote: > Am Mittwoch 24 Februar 2010 09:38:42 schrieb Martin Paljak: >> I was also just documenting the three different methods for accessing smart >> cards with OpenSSH in the wiki: >> >> http://www.opensc-project.org/opensc/wiki/OpenSSH > > nice. but why document the old way? we could simply point > to the old documentation included with each old release > for that. new trunk/ might or might not work with openssh, > but as we stop installing header files and *.pc files, > we will break that anyway. For completeness. If you download at the moment the latest published versions, this is what you get.
> and I wonder: why is "onepin-opensc-pkcs11.so" required? > I forgot again what it was about, but I see it has > hack_enabled, thus framework-pkcs15.c has different > code paths. It is not required. It (should) work with any PKCS#11 module. > do we have a web page documenting the differences > between opensc-pkcs11.so and oneping-opensc-pkcs11.so, > and can we link to that? I guess most normal users > will be fine with opensc-pkcs11.so? No. It should be documented on http://www.opensc-project.org/opensc/wiki/PKCS11. The difference is the number of objects exposed to the application. opensc-pkcs11.so exposes all PINs, all keys and certificates. This can a) take a long time (if you need to read all certificates off the card) b) make applications behave in an annoying way (like Firefox, which will ask you the PINs of all slots before selecting a ceritificate) onepin-opensc-pkcs11.so exposes only a single slot and single pin code with probably a single ceritificate. With EU eID cards it would be the authentication certificate which most applications that deal with authentication anyway use. It could be also taken as a "security feature" if you don't expose your non-repudiation key accidentally to an application that might mis-use it somehow. I'll try to figure out a more helpful explanation -- Martin Paljak http://martin.paljak.pri.ee +3725156495 _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
