Date sent: Tue, 24 Apr 2001 20:47:13 +0200
From: Jean-Marc Desperrier <[EMAIL PROTECTED]>
Organization: Certplus
To: [EMAIL PROTECTED]
Subject: Re: Smart Card Readers
Send reply to: [EMAIL PROTECTED]
True about Netscape, but this assumes that all you want to do is
what Netscape can do. Have you ever tried putting a public key on
the iButton using PKCS-11 other than by C_GenerateKeyPair? I
did, and it does not work. Why? Because DS said it was not
desiged to do so. They also state they wrote the PKCS-11 interface
to do the bare minimum required by Netscape. Now of course you
can write straight APDU code and do it, but who wants to write
custom software for every device on the market? But the real killer
is the speed. Who in their right mind would pay more for a device
which takes ~7 minutes to do a simple operation that any of the
other devices will do in ~15 seconds. And to add insult to injury, it
costs you more money for the honor to wait the 7 minutes. I don't
think very many of us common folk will tolerate a device that takes 3-
7 minutes to sign every email we send.
On the ability to export private keys, that feature is of course
controlled by the sensitive flag and is under complete control of
whatever/whoever placed the data on the device. Once it is set,
nothing can retrieve the data (private key or whatever) off the
device. GemSAFE goes one additional step and requires all private
keys to be sensitive no matter what. And for extreme security that is
probably a good idea as long as you always remember that once
placed on the card, a private key can never be removed. That
implies that if someone other than you placed it there, like most of
the commercial CA's do, you do not have a backup of that key and
obtaining a duplicate of that key is next to impossible. And
remember, these devices have internal power that do die, and if you
are unlucky, one will fail a couple of months after your have placed
it in production. We have had several iButtons fail in a period of a
few months.
But, if you want to use the iButton, have at it.
Ken
"Kenneth R. Robinette" wrote:
> But no problem, if you order one, and try it out, you will not have to worry
> about the license. You will have given it to
> your kids to play with way before a year is up.
This said if you are successful in using the iButton with the pkcs#11, you can
be confident you have a program that can work with any pkcs#11 library that is
able to work with Netscape, no matter how bad the interface is implemented.
The only way to get it working is to do the same things as Netscape, in the same
order, with the same values in the arguments.
Any deviation from that means failure.
> Both the GemSAFE and Rainbow have very good PKCS-11 support
> and everything works as advertised. I can import/export SSH
> public/private keys and certs with no problem, and both work well
> with OpenSSL (thanks to all the excellent help from Dr. Henson).
Hum, import/export SSH public/private keys ?
I know the Gemsafe cards allows you to import RSA private keys from PKCS#12.
Not sure if this is a great idea or not :-)
It is convenient in some cases.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__________________________________________________
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-560-9170
[EMAIL PROTECTED]
http://www.securenetterm.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
