Functioning Dynamic Keychain with OpenSC

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Functioning Dynamic Keychain with OpenSC

SiR GadaBout
Hi,

Further to my previous post that received absolutely no replies…

Are there any affordable (less than £30) USB Smart Card tokens that /can/ be used as fully-functional Dynamic Keychains in Keychain Access?  If proprietary software is required, then please include the cost of this in the less-than-£30 requirement.

When I say fully-functional, I mean that Keychain Access can be used to add data to the device, especially passwords.

Many thanks,

S.

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Functioning Dynamic Keychain with OpenSC

Jean-Michel Pouré - GOOZE
Le mercredi 07 juillet 2010 à 03:27 +0100, Simon Burrell a écrit :
> Further to my previous post that received absolutely no replies…

What post? I will try to reproduce on our Mac OS X station.

> Are there any affordable (less than £30) USB Smart Card tokens
> that /can/ be used as fully-functional Dynamic Keychains in Keychain
> Access?  If proprietary software is required, then please include the
> cost of this in the less-than-£30 requirement.

You already have a Feitian PKI card.

You may check this:
http://www.gooze.eu/feitian-epass-pki-token

This is absolutely equivalent to R-301 reader + Feitian PKI smartcard.

> When I say fully-functional, I mean that Keychain Access can be used
> to add data to the device, especially passwords.

Saving passwords to a smartcard? Could you point out some documentation
at Apple. I was not aware that it was possible to use Mac OS X to save
passwords in a smartcard.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Functioning Dynamic Keychain with OpenSC

Martin Paljak-2
In reply to this post by SiR GadaBout
Hello,

On Jul 7, 2010, at 5:27 AM, Simon Burrell wrote:
> Further to my previous post that received absolutely no replies…

You mean this post: http://www.opensc-project.org/pipermail/opensc-user/2010-June/004118.html ?
> Are there any affordable (less than £30) USB Smart Card tokens that /can/ be used as fully-functional Dynamic Keychains in Keychain Access?  If proprietary software is required, then please include the cost of this in the less-than-£30 requirement.
>
> When I say fully-functional, I mean that Keychain Access can be used to add data to the device, especially passwords.

No, AFAIK the OS X Tokend framework does not support write operations at all. OpenSC.tokend does not support writing any data. So it does not depend on the token type but the capabilities of OS X Keychain infrastructure.

--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Functioning Dynamic Keychain with OpenSC

SiR GadaBout
Hi,

Yes, that was the post I was referring to.  It seems I've misunderstood Apple's use of the term Dynamic Keychain, if what you are saying is correct.  This also seems like a severe limitation of Smart Card implementation on OS X.

Can anyone confirm what Martin is saying, that OS X's Tokend infrastructure does not support writing to Dynamic Keychains? I'm just taking Martin at his word when he says "AFAIK," and assuming he's not 100% certain that this is the case.

If this is truly the case, what about the possibility of writing data onto the Smart Card using the OpenSC CLI tools that meets the format and specifications of the Keychain Access items, so that they are recognized as such—in other words, copying a file to the Smart Card that, when examined by Keychain Access, is recognized as a password file or similar, and represented as such in Keychain Access?

I'll be quite disappointed, not to mention disillusioned, if it turns out that such a basic thing has been omitted from Apple's Tokend implementation.  Even my basic usage has shown that such integration is vital for a satisfactory user experience.

Regards,

S.

On 7 July 2010 09:13, Martin Paljak <[hidden email]> wrote:
Hello,

On Jul 7, 2010, at 5:27 AM, Simon Burrell wrote:
> Further to my previous post that received absolutely no replies…

You mean this post: http://www.opensc-project.org/pipermail/opensc-user/2010-June/004118.html ?
> Are there any affordable (less than £30) USB Smart Card tokens that /can/ be used as fully-functional Dynamic Keychains in Keychain Access?  If proprietary software is required, then please include the cost of this in the less-than-£30 requirement.
>
> When I say fully-functional, I mean that Keychain Access can be used to add data to the device, especially passwords.

No, AFAIK the OS X Tokend framework does not support write operations at all. OpenSC.tokend does not support writing any data. So it does not depend on the token type but the capabilities of OS X Keychain infrastructure.

--
Martin Paljak
@martinpaljak.net
+3725156495



_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Functioning Dynamic Keychain with OpenSC

Martin Paljak-2
Hello,
On Jul 9, 2010, at 7:41 AM, Simon Burrell wrote:
> Yes, that was the post I was referring to.  It seems I've misunderstood Apple's use of the term Dynamic Keychain, if what you are saying is correct.
From where have you picked up the term "dynamic keychain" in the first place? I don't see it in the help or documentation anywhere. The fact that smart cards show up dynamically in keychain access as "keychains" with your keys and certificates (IF you have the correct Tokend implementation for does not make it a "normal" keychain that can store passwords or "secure notes". Smart cards just fit well into the "keychain" abstraction. That's why I refer to OS X support as CDSA/Keychain.


> This also seems like a severe limitation of Smart Card implementation on OS X.

Not really. People have very different perceptions of smart cards (some consider magstripes smart cards as well). Some take them as Ironkey replacements (meaning secure flash drives) others as "cards with unique serials". The smart cards that OpenSC supports are cryptographic (PKI) cards that deal mostly with (RSA) keys and X509 certificates. Enrollment and personalization have (traditionally) been outside of the scope of usage scenarios, so it is often a "special case".

This is the current day reality. Yes, of course, I would love to see really nice and easy personalization capabilities built into operating systems and proper use by applications, but that dream has not realized.


> Can anyone confirm what Martin is saying, that OS X's Tokend infrastructure does not support writing to Dynamic Keychains? I'm just taking Martin at his word when he says "AFAIK," and assuming he's not 100% certain that this is the case.
Last time I checked, when writing OpenSC.tokend, it was not possible. IMHO a Tokend is not designed for that. Smart card personalization (what basically means arbitrary writing) is a very "gray" area. But you are correct, I'm not 100% sure. One needs to open an ADC support request to find it out (unless you want to spend days hacking around OS X internals, which I don't want/have time to do).


> If this is truly the case, what about the possibility of writing data onto the Smart Card using the OpenSC CLI tools that meets the format and specifications of the Keychain Access items, so that they are recognized as such—in other words, copying a file to the Smart Card that, when examined by Keychain Access, is recognized as a password file or similar, and represented as such in Keychain Access?
No, it is not supported by OpenSC.tokend

> I'll be quite disappointed, not to mention disillusioned, if it turns out that such a basic thing has been omitted from Apple's Tokend implementation.  Even my basic usage has shown that such integration is vital for a satisfactory user experience.
Feel free to e-mail Steve Jobs or your local Apple representative with the feature request!

--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user