about the OpenPGP Card

Primiano Tucci p.tucci at gmail.com
Fri Jul 18 15:01:49 CEST 2008 

On Fri, Jul 18, 2008 at 2:21 PM, Werner Koch <wk at gnupg.org> wrote:
> On Fri, 18 Jul 2008 12:18, p.tucci at gmail.com said:
>
>> Scute is a pkcs11 driver, it means that prior to make your card work
>> you need to have downloaded the libary, configured mozilla (and it
>> seems no way for IE) and have a working gpg-agent.
>
> Mozilla uses pkcs#11 as its crypto API thus you need such a driver.

This is absolutely uncorrect.
I do NOT need mozilla crypto api, i do not need the entire pkcs#11
layer since my driver rawly communicates via the T=1 protocol with the
card (thanks to Sun's Java low level APIs).
I just need Java and the card reader drivers (but NOT the pkcs11),
that's the big point of the driver.

> Should also work with other browsers but not tested.  Windows port is
> under way.

Internet explorer does not use the standard PKCS11 layer... it uses a
more sofisticated layer (CSP).
There is an open source project (actually I miss the name) that claims
to act as a wrapper between Microsoft CSP and the PKCS11 layer, but i
never tested it.


>> My driver, on the other side, does not need anything, just a java
>> insatllation... so if you are on another pc that has a smartcard
>
> And you need to allow Java in your browser.  Some folks hesitate to
> enable this.

Anyone chooses his paranoid level.
There are people that do not allow Internet on their computers :)
But we're in the 2008 and the i suppose the probability to find a Java
installation in a PC is realistically high (and absolutely higher than
the probability to find a pkcs11 layer + gpg agent + pkcs11 correctly
installed )

>> you can still have many chances to use your OpenPGP card (see my
>> openpgp openid project http://dev.primianotucci.com/openid/)
>
> Interesting.
>
>> I haven't looked at 2.0 specifications (i'm waiting for the final
>> one)... I don't think there are actually OpenPGP cards that implements
>> such specifications (correct me if wrong)
>
> In a couple of months.  Actually the new spec has some feature to better
> support Java cards.
>
>> The driver is based on the 1.1 specs.... i'll update it as soon as the
>> final 2.0 specs will be ready.
>
> This is a release candidate - there are just a few typos left and
> possible we need to extend the size of some fields.  I already started
> to implemented that in GnuPG.
>
>> Honestly I think the fact that enetering 3 wrong CHV3 destroyes the
>> card is a simple ashame... the "reset to blank" command should be a
>> must! (hopes for the 2.0 card :))
>
> Included in the new spec due to great public demand.  How I just need
> top add a command to gpg to allow resetting the card.
>
>
> Salam-Shalom,
>
>   Werner
>
> --
> Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.
>
>
Primiano Tucci

More information about the Gnupg-devel mailing list