Jean-Michel Pouré - GOOZE wrote: > Le mardi 08 février 2011 à 15:30 +0100, Peter Stuge a écrit : > > Quality of key material is however very important, for all cards, > > since these are security products. > > If in fact a card is not so secure, then we will do the world a > > service by pointing that out. Peer review, you know how it works. > > Sure, IMHO measuring the RSA generation duration and variability does > not give any reliable information.
I would have to disagree; like Ludovic I think that indeed there should be "high" variability of the time that it takes to generate a key. I think you have done the most focused testing of this so far but I also think that a lot more time measurements are needed to make any conclusive claim about quality, either positive or negative. > Are you doing peer review on that ... whaoooo I am impressed. I'm not trying to impress you or anyone else. Please don't assume that Ludovic or I are trying to impress someone, by putting Feitian cards down. I quite like the Feitian cards specifically because of manufacturer support making the cards work well with OpenSC and because of your proposition to the community, but that's of course only part of the story, and now we're talking about another important quality metric. > With duration and variation, you can only "guess" the unknown and this > is not a scientific approach. You know the scientific approach: you > should know what you compare and be able to compare to a standard. But > there is no standard in timing key generation. And you don't know what > exactly you are measuring: speed or quality of key. I think it can sort-of work one way, but not the other. If key generation is both fast and near constant time, then further analysis may be warranted. (Though a bit difficult, since the key isn't supposed to leave the card.) But key generation being slow is, as you point out, not at all a guarantee that key quality is good. You're right that it's not a completely scientific test, but at least a larger set of samples is more indicative than a smaller set. > > As has already been pointed out several times by now there has so far > > not been really conclusive information about Feitian, only very > > limited testing has been done. > > Not true. I cannot let you say that. You misunderstood me. I'm sorry I wasn't more clear. > We doing daily testing and the card works better than many others. > Furthermore, this is the #1 sales of OpenSC compatible cards. Yes certainly. Again I think the proposition looks really good. The limited testing I refered to is time measurement of key generation and nothing else. You mentioned that you tested 10 times and got near constant time results. I think many more iterations are needed to get a view of how long key generation takes. > This is enough for me loosing time in this discussion. First I read > "Looks like bad news for me". Then "Only limited testing has been > done". I guess you are more interested than anyone else in demonstrating high quality of these cards, except maybe the manufacturer. 10 time measurements are better than 2, but is still too small to say either positive or negative things about the card IMO. Others who have gotten cards also have an easy way to help out here, by doing many measurements and posting some results. But you have a unique opportunity having both access to many different cards, and being in a very good relationship with the manufacturer. All of these helpful for demonstrating highest quality. //Peter _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
