5 auth-ids and 5 certs on iKey 3000

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

5 auth-ids and 5 certs on iKey 3000

Jan Schermer
I've just obtained a cacert.org class1 certificate and wanted to import
it to my iKey3K, auth-id was created fine but I was not able to impor
the certificate because of (sorry I closed the terminal) "Too small card
file size" (or card size, not sure)

I player with oberthur profile and tweaked it:

        odf-size        = 512;
        aodf-size       = 512;
        cdf-size        = 2048;
        prkdf-size      = 1024;
        pukdf-size      = 1024;
        dodf-size       = 512;

and now everything works...

what may be the side effects of this? Why is it not the default? Is
there some more "correct" way to import 5 certificates to one card?

Thanks

Jan

P.S. sorry for crossposting but opensc-user, though more appropriate, is
a little too young for me :)

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 5 auth-ids and 5 certs on iKey 3000

Stef Hoeben
Hi Jan,

it's probably the cdf_size that was too small: the entire Distinguished Name
of the cert owner is put in there.

The downside of such large sizes is that you loose much space on what
is basically overhead, and that it takes more time to read those files.

All: how about putting only the CN (Common Name) of the owner's DN
into the CDF, or put an option in the profile or config file to turn
this on?

Stef

Jan Schermer wrote:

>_______________________________________________
>opensc-user mailing list
>[hidden email]
>http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>
>  
>

I've just obtained a cacert.org class1 certificate and wanted to import
it to my iKey3K, auth-id was created fine but I was not able to impor
the certificate because of (sorry I closed the terminal) "Too small card
file size" (or card size, not sure)

I player with oberthur profile and tweaked it:

        odf-size        = 512;
        aodf-size       = 512;
        cdf-size        = 2048;
        prkdf-size      = 1024;
        pukdf-size      = 1024;
        dodf-size       = 512;

and now everything works...

what may be the side effects of this? Why is it not the default? Is
there some more "correct" way to import 5 certificates to one card?

Thanks

Jan

P.S. sorry for crossposting but opensc-user, though more appropriate, is
a little too young for me :)

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: 5 auth-ids and 5 certs on iKey 3000

Nils Larsch
In reply to this post by Jan Schermer
Jan Schermer wrote:
> I've just obtained a cacert.org class1 certificate and wanted to import
> it to my iKey3K, auth-id was created fine but I was not able to impor
> the certificate because of (sorry I closed the terminal) "Too small card
> file size" (or card size, not sure)
>
> I player with oberthur profile and tweaked it:

hmm, a iKey 3k token is not an oberthur card (it uses starcos spk 2.3)

>
>         odf-size        = 512;
>         aodf-size       = 512;
>         cdf-size        = 2048;
>         prkdf-size      = 1024;
>         pukdf-size      = 1024;
>         dodf-size       = 512;
>
> and now everything works...

what the hell did you do that a change in the oberthur profile changed
the starcos initialization ?

>
> what may be the side effects of this? Why is it not the default?

good question, we have'nt had a real discussion about these questions
so far

> Is
> there some more "correct" way to import 5 certificates to one card?

the correct way to initialize a token depends on the indentended
usage. But as we don't exactly know what the token will be used for
the current profiles are just a guess of what might be a good profile.

Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: 5 auth-ids and 5 certs on iKey 3000

Jan Schermer

>
> what the hell did you do that a change in the oberthur profile changed
> the starcos initialization ?
>
the original pkcs15 profile allowed me to store only 3 auth-ids (+3 certs)
generic oberthur allowed me 4 auth-ids (+4 certs) but I needed 5 ;)

I don't really know what cdf-size or odf-size is, I just guessed that
something needs to be increased (wrong)
I had to decrease cdf-size in original oberthur profile from 3072->2048
(guess).

Maybe there should be a profile for storing commercial (thawte,
verisign, or non-commercial like cacert-root) certificates with
just-to-fit sizes. I wonder what happens if I want to put 6th
certificate on the card ;)

>
>> Is
>> there some more "correct" way to import 5 certificates to one card?
>
>
> the correct way to initialize a token depends on the indentended
> usage. But as we don't exactly know what the token will be used for
> the current profiles are just a guess of what might be a good profile.
>

I was talking about having a different auth-id for each cert... how much
overhead is that?


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: 5 auth-ids and 5 certs on iKey 3000

Jan Schermer
In reply to this post by Stef Hoeben
No, actually in oberhur it was too big and I had to decrease it to fit
the 5th certificate... I've probably hit my card's memory limit ;)

Stef Hoeben wrote:

> Hi Jan,
>
> it's probably the cdf_size that was too small: the entire
> Distinguished Name
> of the cert owner is put in there.
>
> The downside of such large sizes is that you loose much space on what
> is basically overhead, and that it takes more time to read those files.
>
> All: how about putting only the CN (Common Name) of the owner's DN
> into the CDF, or put an option in the profile or config file to turn
> this on?
>
> Stef
>
> Jan Schermer wrote:
>
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>
>>  
>>
>
> I've just obtained a cacert.org class1 certificate and wanted to import
> it to my iKey3K, auth-id was created fine but I was not able to impor
> the certificate because of (sorry I closed the terminal) "Too small card
> file size" (or card size, not sure)
>
> I player with oberthur profile and tweaked it:
>
>        odf-size        = 512;
>        aodf-size       = 512;
>        cdf-size        = 2048;
>        prkdf-size      = 1024;
>        pukdf-size      = 1024;
>        dodf-size       = 512;
>
> and now everything works...
>
> what may be the side effects of this? Why is it not the default? Is
> there some more "correct" way to import 5 certificates to one card?
>
> Thanks
>
> Jan
>
> P.S. sorry for crossposting but opensc-user, though more appropriate, is
> a little too young for me :)
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

smime.p7s (3K) Download Attachment