Can OpenSC do this?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Can OpenSC do this?

mpapet
Hi,

I have another question related to OpenSC functionality.  My objective is to
have our Linux email server authenticate my clients with a smart card token.
No smart card, no email.  Period.

It's mostly for mobile users, but it would be nice for local users too.

I realize there may be lots of coding to do on the windows client side, but
I work with engineers who can do that.

Michael


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Can OpenSC do this?

Stef Hoeben
Hi,

on Mozilla in Mail & Newsgroup Account Settings - Server Settings,
there are the "Use secure connection (SSL)" and "Use secure authentication"
options. Never tried them, but perhaps it would be as simple as turning
them on, and Mozilla may work in the same way as for https (using pkcs11)?

Cheers,
Stef

mpapet wrote:

>Hi,
>
>I have another question related to OpenSC functionality.  My objective is to
>have our Linux email server authenticate my clients with a smart card token.
>No smart card, no email.  Period.
>
>It's mostly for mobile users, but it would be nice for local users too.
>
>I realize there may be lots of coding to do on the windows client side, but
>I work with engineers who can do that.
>
>Michael
>
>
>_______________________________________________
>opensc-user mailing list
>[hidden email]
>http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>
>  
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Can OpenSC do this?

Andreas Jellinghaus-2
In reply to this post by mpapet
Hi Michael,

it's not an opensc issue but an issue of your mail application
and your mail server.

mail server can accept ssl client certificates for authentication.
I haven't tried so far with any server, nor heard anyone else trying
this. Feedback how to do this would be very welcome. (I'd like to do that
on my home system, too!)

the bigger problem I see is the client application.
If it is mozilla thunderbird, maybe using opensc pkcs11 module
will work for this, I haven't tried.

native windows applications will most likely use the native crypto api
interface to windows. the nice thing with this api is: if the application
does support client certificate authentication, it will not even know if
the crypto part and certificate is on a smart card or not, and thus
need no changes.

I think there are three crypto api provides for opensc (software that fills
the gap between the microsoft crypto api and pkcs#11 api offered by opensc):
 - belpic / zetes (for belpic cards only?)
 - ID Ally (idendity alliance software)
 - CSP11

I tried the last two and they work fine, but might need some polishing
here and there. I need to create a real test server for more testing,
as my testing so far was quite small. but both teams are very responsive
and very interested in getting opensc with them to work...

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Can OpenSC do this?

Peter Koch
In reply to this post by mpapet
Andreas Jellinghaus wrote:

> it's not an opensc issue but an issue of your mail application
> and your mail server.
>
> mail server can accept ssl client certificates for authentication.
> I haven't tried so far with any server, nor heard anyone else trying
> this. Feedback how to do this would be very welcome. (I'd like to do that
> on my home system, too!)
>
> the bigger problem I see is the client application.
> If it is mozilla thunderbird, maybe using opensc pkcs11 module
> will work for this, I haven't tried.

Stef Hoeben wrote:

> on Mozilla in Mail & Newsgroup Account Settings - Server Settings,
> there are the "Use secure connection (SSL)" and "Use secure authentication"
> options. Never tried them, but perhaps it would be as simple as turning
> them on, and Mozilla may work in the same way as for https (using pkcs11)?

Mozilla can fetch email via SSL-secured POP3. If a client-certificate is available
it will be used. The POP3-protocoll requires a password. This is true, even if
the POP3-communication was done via a client-authenticated SSl connection
as the SSL-connection is just a tunnel for the POP3-protocol. As a consequence
Mozilla will ask you for a password after successfull client-authentification.

I solved this for a customer lately as follows:

- Mozillas Password-Manager is used to store the POP3-password, so users
are asked for their mail-password only once.

- Users may choose any password they like (we told them that their password
was 12345) Actually the don't have a password at all.

- the POP3-server was modified. It still asks for a password (otherwise
Mozilla would be confused). If Mozilla supplied a valid client-certificate
and the CN of that certificate contains the correct username, every
passwort will be accepted. Otherwis every password will be rejected.

This works fine for 3 monthes now.

Peter
__________________________________________________________
Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min.
weltweit telefonieren! http://freephone.web.de/?mc=021201

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Can OpenSC do this?

Andreas Jellinghaus-2
could you put this information in the wiki,
maybe with some details such as what pop server
you used, some configuration parts or so?

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user