On Thu, May 19, 2011 at 1:22 PM, Martin Paljak wrote:
> Hello,
>
> On Mon, May 9, 2011 at 23:22, Alon Bar-Lev wrote:
>> This had been raised long ago.
>> Create a proxy PKCS#11 that uses another PKCS#11.
> p11-kit might be the right tool for this kind of things?
Hi,
There is no difference betwe
Hello,
On Mon, May 9, 2011 at 23:22, Alon Bar-Lev wrote:
> This had been raised long ago.
> Create a proxy PKCS#11 that uses another PKCS#11.
p11-kit might be the right tool for this kind of things?
http://p11-glue.freedesktop.org/
___
opensc-devel ma
Hello Alon,
On Fri, May 6, 2011 at 20:22, Alon Bar-Lev wrote:
>> For the sake of usability, exclusive mode should only be used *if needed*.
>> From security perspective, it does not really matter, because if your host
>> is compromised, such software tricks are worthless. But daily smart card
2011/5/9 Jean-Michel Pouré - GOOZE :
> Dear Alon,
>
> Could you comment the alternative, where OpenSC would behave as a
> client-server application pooling access requests from applications and
> locking the card in exclusive mode, i.e. work as a proxy.
>
> Kind regards,
Hi,
This had been raised l
Le samedi 07 mai 2011 à 23:43 +0300, Alon Bar-Lev a écrit :
> The authentication cookie solves above, PINPAD, BIO efficiently,
> however it requires card to support it. You get a cookie out of
> PIN/PINPAD operation/BIO match. The cookie is valid as long as card is
> powered on and policy permits.
On Sat, May 7, 2011 at 10:57 PM, Peter Stuge wrote:
> Alon Bar-Lev wrote:
>> However, there are some advanced cards that can generate
>> authentication token, so you can actually authenticate once using
>> PIN get authentication token out of the card (many can be available
>> at same time), then e
Alon Bar-Lev wrote:
> However, there are some advanced cards that can generate
> authentication token, so you can actually authenticate once using
> PIN get authentication token out of the card (many can be available
> at same time), then each transaction is authenticated using these
> tokens. This
1. Firefox behaves correctly, it opens long living session with crypto
token, in order to reduce the number of times user is prompted for
passphrase.
2. Firefox monitors slots, to be able to detect new certificate
availability so it can prompt the user for one if requested. It is
true that it can
El sáb, 07-05-2011 a las 08:01 +0200, Frank Morgner escribió:
> Hi!
[...]
> In your example, Juan, you say that Firefox calls C_Init to initialize
> the card for pkcs11. I'm not an expert for p11, but is it really needed
> to actually lock the card on initialization and keep an established
> connec
Hi!
> Many thanks Franck and Martin, using exclusive mode solved my problem:
...
> I wonder if there is not a problem in shared more or if we should not
> ask users to use exclusive mode only.
No problem, I had a similar problem where two applications accessed a
smart card. One "initialized" the
On 06/05/2011 21:23, Juan Antonio Martinez wrote:
> Sure: there are some cases where these approach fails:
> SSL renegotiation when signing applet is running; two pkcs11
> trying concurrent access to the card... but this is not
> as usual as thought.
IMHO you could avoid troubles using a simple st
El vie, 06-05-2011 a las 16:43 +0200, Jean-Michel Pouré - GOOZE
escribió:
> Le vendredi 06 mai 2011 à 17:24 +0300, Martin Paljak a écrit :
> > But daily smart card usage usually means using different applications.
>
> OK. But shared mode does not work very well, especially with OpenSSH and
> Icewe
On Fri, May 6, 2011 at 5:24 PM, Martin Paljak wrote:
> Hello,
>
>
> On May 6, 2011, at 17:16 , Jean-Michel Pouré - GOOZE wrote:
>>
>> I wonder if there is not a problem in shared more or if we should not
>> ask users to use exclusive mode only.
>
> For the sake of usability, exclusive mode should
From a user's prospective, having to shut down an application
so another could start is not very friendly. Do we need an
tool to force a logoff/unlock/reset/... so a user could start
an operation with another application, without having to shutdown
the first?
With the mini-driver, Windows login w
Le vendredi 06 mai 2011 à 17:24 +0300, Martin Paljak a écrit :
> But daily smart card usage usually means using different applications.
OK. But shared mode does not work very well, especially with OpenSSH and
Iceweasel (Firefox) together. I did some heavy testing and found
usability problems in sh
Hello,
On May 6, 2011, at 17:16 , Jean-Michel Pouré - GOOZE wrote:
>
> I wonder if there is not a problem in shared more or if we should not
> ask users to use exclusive mode only.
For the sake of usability, exclusive mode should only be used *if needed*.
>From security perspective, it does no
Le vendredi 06 mai 2011 à 15:41 +0200, Frank Morgner a écrit :
> AFAIK, SCardConnect immediately returns an error if an application
> wants
> to access a reader which is already in exclusive use. Have you tried
> switching on exclusive mode in the configuration file of OpenSC? (Note
> that this do
Hello,
On May 6, 2011, at 16:41 , Frank Morgner wrote:
>>
>> Is there a way to inform opensc-pkcs11.so that a communication is
>> already established by Firefox and that SSH should start without using
>> pkcs11?
>
> AFAIK, SCardConnect immediately returns an error if an application wants
> to acc
On Friday, May 06 at 03:03PM, Jean-Michel Pouré - GOOZE wrote:
> Le vendredi 06 mai 2011 à 14:41 +0300, Martin Paljak a écrit :
> > Have a look at the wiki:
> > http://www.opensc-project.org/opensc/wiki/SecurityConsiderations
>
> Sure.
>
> I am worried about:
> * Application A opens communicati
Le vendredi 06 mai 2011 à 14:41 +0300, Martin Paljak a écrit :
> Have a look at the wiki:
> http://www.opensc-project.org/opensc/wiki/SecurityConsiderations
Sure.
I am worried about:
* Application A opens communication with token and locks it.
* Application B tries to open communication with to
On 2011-05-06 13:41, Martin Paljak wrote:
>
> On May 5, 2011, at 23:02 , Jean-Michel Pouré - GOOZE wrote:
>
>> Dear all,
>>
>> Some simple questions:
>>
>> When used with lock_login = false;
>> authenticated tokens are available for all users.
>>
>> For knowledge, what would be the technical solu
On May 5, 2011, at 23:02 , Jean-Michel Pouré - GOOZE wrote:
> Dear all,
>
> Some simple questions:
>
> When used with lock_login = false;
> authenticated tokens are available for all users.
>
> For knowledge, what would be the technical solution to secure access in
> shared mode?
Have a look
Dear all,
Some simple questions:
When used with lock_login = false;
authenticated tokens are available for all users.
For knowledge, what would be the technical solution to secure access in
shared mode?
1) Previously, we discussed about a proxy which would lock access to
smartcard. Users would
23 matches
Mail list logo
