pkcs and host keys
Jean-Michel Pouré - GOOZE
jmpoure at gooze.eu
Fri Jan 20 05:23:41 EST 2012
Dear William,
> able to get it to work (with three different cards), and apparently
neither
> has Apple, who attempted to integrate it but failed (I've never been
> able to
> get a smart card to work in OS X).
That's a pity you did not buy the right products. But never say "never".
A lot of smartcards/tokens have partial OpenSC implementation.
Smartcards and tokens are also usually quite expensive, because vendors
like to change hardware and drivers.
This is not the case of our products, which work perfectly and
unexpensive.
Just have a look at our tutorials:
http://www.gooze.eu/tutorials
OpenSSH client with pkcs12 works like a charm.
Under GNU/linux and FreeBSD, there were a couple of nasty bugs,
including libmtp disconnecting the smartcard/token. Or libusb with a
race condition. But this was fixed. Check our guide:
http://www.gooze.eu/howto/smartcard-quickstarter-guide/gnu-linux-installation
If you send me your address privately, I can donate you a couple of free
products so you change your mind.
> In my opinion (not that anyone should care), I'd say that the best
> bang for
> a developer's buck would be to only support smartcards that follow the
> Personal Identity Verification (PIV) NIST standard, which specifies
> the wire
> protocol for basic crypto operations like signing, etc. All new US
> government crypto tokens must support this, AFAIU, and it's becoming
> quite
> common.
PIV are outdated and frankly the ePass2003 is based on a SINGLE
integrated ST Microelectronics chip with EAL5+ certification. This is
quite a revolutionary token which weights only 6 gramms. Because of high
integration, it is way much cheaper. Only 14.90€ per unit, people buying
100 units, the cost is only 9,9€
We will soon offer cables for plugging the token directly on motherboard
internal USB ports. So securing a server key could become very easy and
cheap.
Kind regards,
Jean-Michel
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6022 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120119/3d516615/attachment.bin>
More information about the openssh-unix-dev
mailing list