Jim Rees wrote: > If I were doing it today, I'd give the card a usb interface, like > etoken (or just use a usb token), and use some existing standards, > maybe including tcp/ip, to talk to the card.
So maybe make it look like an USB ethernet device, and use IPv6. While sounding a bit un-orthodox, it's an approach I have actually seen on devices, and it has the benefit of reusing a software stack that is very common in systems today: the network. Anders, have you seen uIP, uIPv6 and maybe also Contiki, per Adam Dunkels at SICS? http://www.sics.se/~adam/uip/index.php/Main_Page http://www.sics.se/contiki/contiki-6lowpan-uipv6-faq.html http://www.sics.se/contiki/ Also: http://www.shapeshifter.se/code/uipv6/ http://hackaday.com/tag/uipv6/ > 7816-3 is an abomination, it's just job security for bit-twiddlers. I'm glad you say that. > As for making the card speak something closer to pkcs11, that's not > a bad idea, but a bit too special purpose for my taste. One thing that may be worth mentioning is that USB devices can have multiple interfaces active in parallel. There could be a new PKCS#11 over USB interface, and other interfaces alongside it, active at the same time, driven by different software if desired. CCID could be another interface, making the device backwards compatible with existing smart card software stacks. I like the PKCS#11 over USB idea! I'm active in the libusb project, where we will shortly integrate Windows support for libusb-1.0. Using that it would pretty much be trivial to provide a single portable PKCS#11 driver for the device. Another project to note is the open source PKCS#11 soft token called SoftHSM by OpenDNSSEC folks: http://trac.opendnssec.org/wiki/SoftHSM SQLite may be a bit much for smallish microcontrollers though. > What about the biometric data from cac/piv? What about > symmetric-key systems like kerberos? What about non-crypto apps > like the phone book on your sim? 11 years ago we thought turning > the card into a web server, and the services into web services, > seemed like a good idea. That might not be the right model, but I > think it's useful to think of the card as a service provider, not > just a secure store. These are really valid questions! Also, does it make sense for all these security providers to provide their services always using one and the same method? I'm not sure it will fit the requirements and desires of applications so well. //Peter _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
