which usb token is best for openct/opensc usage

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

which usb token is best for openct/opensc usage

Heiko Baumann-3

hi list,

i am using aladdin etoken pro for years. first the 32k version and now the
64k token. setup is easy with openct/opensc without any aladdin middleware
and it works great with openssh, openvpn and firefox. also pkcs11-data for
luks keys etc. is really great.

now i've got an etoken pro 72k java because the cardos based tokens are
EOL. i searched the lists and from what i've read one needs an engineering
version of the token which allows to upload an compatible applet to (maybe)
get it working with openct/opensc without aladdin middleware.

so i'm currently not sure if i should get one of the engineering 72k tokens
and give it a try or if there are other tokens which are plug and play just
like the cardos based aladdin tokens.

are there any recommendations for good usb tokens wich works with
openct/opensc without proprietary middleware just like my 64k etoken?

regards
heiko
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

João Poupino-4
Hi Heiko,

I have had good results with the Muscle applet + the Aladdin eToken 72K (engineering). It is very fast (considerably faster than eToken 32K and 64K in my tests) and has been working just fine.

Be warned that you must use the CCID driver from Aladdin, or enable a small change in opensc.conf for it to work flawlessly. According to Dr. Ludovic [1] , this token has some issues.

The big challenge seems to get hold of the engineering version of the token. I have had the luck to get a token from an Aladdin representative, but I have not seen them at retail stores.

Regards,
João

[1] - http://www.opensc-project.org/pipermail/opensc-devel/2009-April/012128.html

On May 30, 2010, at 21:30, Heiko Baumann wrote:

>
> hi list,
>
> i am using aladdin etoken pro for years. first the 32k version and now the
> 64k token. setup is easy with openct/opensc without any aladdin middleware
> and it works great with openssh, openvpn and firefox. also pkcs11-data for
> luks keys etc. is really great.
>
> now i've got an etoken pro 72k java because the cardos based tokens are
> EOL. i searched the lists and from what i've read one needs an engineering
> version of the token which allows to upload an compatible applet to (maybe)
> get it working with openct/opensc without aladdin middleware.
>
> so i'm currently not sure if i should get one of the engineering 72k tokens
> and give it a try or if there are other tokens which are plug and play just
> like the cardos based aladdin tokens.
>
> are there any recommendations for good usb tokens wich works with
> openct/opensc without proprietary middleware just like my 64k etoken?
>
> regards
> heiko
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Jonathan SEMCZYK
Hi all,

 From a French reseller I was able to get in touch with a SafeNet
representative. They sent me 2 engineering version of the token for
trials. With all I found on this List the token works pretty well.

SafeNet is ready to produce token already loaded with the Muscle Applet,
but they need the CAP file (only found an IJC file here). I am still not
able to get any, I need more time to build my own MUSCLE applet.

I already posted some questions here, with no luck,
http://lists.drizzle.com/pipermail/muscle/2010-May/008319.html

Regards,
Jon.

Le 31/05/2010 17:41, João Poupino a écrit :

> Hi Heiko,
>
> I have had good results with the Muscle applet + the Aladdin eToken 72K (engineering). It is very fast (considerably faster than eToken 32K and 64K in my tests) and has been working just fine.
>
> Be warned that you must use the CCID driver from Aladdin, or enable a small change in opensc.conf for it to work flawlessly. According to Dr. Ludovic [1] , this token has some issues.
>
> The big challenge seems to get hold of the engineering version of the token. I have had the luck to get a token from an Aladdin representative, but I have not seen them at retail stores.
>
> Regards,
> João
>
> [1] - http://www.opensc-project.org/pipermail/opensc-devel/2009-April/012128.html
>
> On May 30, 2010, at 21:30, Heiko Baumann wrote:
>
>    
>> hi list,
>>
>> i am using aladdin etoken pro for years. first the 32k version and now the
>> 64k token. setup is easy with openct/opensc without any aladdin middleware
>> and it works great with openssh, openvpn and firefox. also pkcs11-data for
>> luks keys etc. is really great.
>>
>> now i've got an etoken pro 72k java because the cardos based tokens are
>> EOL. i searched the lists and from what i've read one needs an engineering
>> version of the token which allows to upload an compatible applet to (maybe)
>> get it working with openct/opensc without aladdin middleware.
>>
>> so i'm currently not sure if i should get one of the engineering 72k tokens
>> and give it a try or if there are other tokens which are plug and play just
>> like the cardos based aladdin tokens.
>>
>> are there any recommendations for good usb tokens wich works with
>> openct/opensc without proprietary middleware just like my 64k etoken?
>>
>> regards
>> heiko
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>      
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user
>    
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

João Poupino-4
IMHO, the MuscleApplet is not quite ready for massive production deployment yet. It is being actively improved upon, and at this time, key ideas are still being discussed. We believe it could play an important role with Javacards, but not in its current state, mainly because there are ideas that should solidify first. This will probably imply changes to both the applet and OpenSC.

Again, this is just my humble opinion. Martin, who has recently been the main driving force behind the evolution of the Muscle applet, should chime in on the matter and give us his insight :)

In the meanwhile, you can find a CAP file and a summary of some of the ideas being discussed in [1].

Best regards and good luck,
Joao

[1] - http://www.opensc-project.org/opensc/wiki/MuscleApplet


On May 31, 2010, at 18:00, Jonathan SEMCZYK wrote:

> Hi all,
>
> From a French reseller I was able to get in touch with a SafeNet
> representative. They sent me 2 engineering version of the token for
> trials. With all I found on this List the token works pretty well.
>
> SafeNet is ready to produce token already loaded with the Muscle Applet,
> but they need the CAP file (only found an IJC file here). I am still not
> able to get any, I need more time to build my own MUSCLE applet.
>
> I already posted some questions here, with no luck,
> http://lists.drizzle.com/pipermail/muscle/2010-May/008319.html
>
> Regards,
> Jon.
>
> Le 31/05/2010 17:41, João Poupino a écrit :
>> Hi Heiko,
>>
>> I have had good results with the Muscle applet + the Aladdin eToken 72K (engineering). It is very fast (considerably faster than eToken 32K and 64K in my tests) and has been working just fine.
>>
>> Be warned that you must use the CCID driver from Aladdin, or enable a small change in opensc.conf for it to work flawlessly. According to Dr. Ludovic [1] , this token has some issues.
>>
>> The big challenge seems to get hold of the engineering version of the token. I have had the luck to get a token from an Aladdin representative, but I have not seen them at retail stores.
>>
>> Regards,
>> João
>>
>> [1] - http://www.opensc-project.org/pipermail/opensc-devel/2009-April/012128.html
>>
>> On May 30, 2010, at 21:30, Heiko Baumann wrote:
>>
>>
>>> hi list,
>>>
>>> i am using aladdin etoken pro for years. first the 32k version and now the
>>> 64k token. setup is easy with openct/opensc without any aladdin middleware
>>> and it works great with openssh, openvpn and firefox. also pkcs11-data for
>>> luks keys etc. is really great.
>>>
>>> now i've got an etoken pro 72k java because the cardos based tokens are
>>> EOL. i searched the lists and from what i've read one needs an engineering
>>> version of the token which allows to upload an compatible applet to (maybe)
>>> get it working with openct/opensc without aladdin middleware.
>>>
>>> so i'm currently not sure if i should get one of the engineering 72k tokens
>>> and give it a try or if there are other tokens which are plug and play just
>>> like the cardos based aladdin tokens.
>>>
>>> are there any recommendations for good usb tokens wich works with
>>> openct/opensc without proprietary middleware just like my 64k etoken?
>>>
>>> regards
>>> heiko
>>> _______________________________________________
>>> opensc-user mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Andreas Jellinghaus-2
In reply to this post by Heiko Baumann-3
what about some reader for sim card size cards like
the "Gemalto USB Shell V2 (GemPC Key)" and a smart card
in sim size format? that way you can replace one component
if the other one is broken.

if you buy some other token, maybe benchmark those first
before buying many (some tokens I have for testing are
quite slow for some reason).

I guess CardOS M4 smart cards are still available, and many
shops offer to cut cards into sim size format.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Josef Windorfer
I'm using the "Smart Token KOBIL mIDentity"
(http://pcsclite.alioth.debian.org/shouldwork.html#0x0D460x3014) and a
Feitian smart card in sim format.
(http://www.opensc-project.org/opensc/wiki/FTCOSPK01C)

It works with libccid + pcsc-lite very good. I have to add the Device
and Vendor ID (0d46:3014 Kobil Systems GmbH) in the file
"Info.plist".(operation system ubuntu 10.04)

Greets Josef



Am 31.05.2010 21:11, schrieb Andreas Jellinghaus:

> what about some reader for sim card size cards like
> the "Gemalto USB Shell V2 (GemPC Key)" and a smart card
> in sim size format? that way you can replace one component
> if the other one is broken.
>
> if you buy some other token, maybe benchmark those first
> before buying many (some tokens I have for testing are
> quite slow for some reason).
>
> I guess CardOS M4 smart cards are still available, and many
> shops offer to cut cards into sim size format.
>
> Regards, Andreas
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Jonathan SEMCZYK
In reply to this post by João Poupino-4
Hi Joao,

Thanks for your feedback.

I like those eToken, I found them pretty small and you cannot open the
token without breaking it.

The thing with SafeNet is that they are only allowed to sell locked
tokens (engineering are for development use only, you can get only few
samples). If the Applet changes I will not be able to reload it myself.
And I'll probably have to buy new tokens.
Our reseller can sell us a basic pack of 10 tokens, not very expensive,
around 30 euros the token.

For now we will start with a bunch of eTokens and, after some time, try
some other more. Like Heiko I am interested if anyone has a good
experience with USB Tokens.

Regards,
Jon.

Le 31/05/2010 19:25, João Poupino a écrit :

> IMHO, the MuscleApplet is not quite ready for massive production deployment yet. It is being actively improved upon, and at this time, key ideas are still being discussed. We believe it could play an important role with Javacards, but not in its current state, mainly because there are ideas that should solidify first. This will probably imply changes to both the applet and OpenSC.
>
> Again, this is just my humble opinion. Martin, who has recently been the main driving force behind the evolution of the Muscle applet, should chime in on the matter and give us his insight :)
>
> In the meanwhile, you can find a CAP file and a summary of some of the ideas being discussed in [1].
>
> Best regards and good luck,
> Joao
>
> [1] - http://www.opensc-project.org/opensc/wiki/MuscleApplet
>
>
> On May 31, 2010, at 18:00, Jonathan SEMCZYK wrote:
>
>    
>> Hi all,
>>
>>  From a French reseller I was able to get in touch with a SafeNet
>> representative. They sent me 2 engineering version of the token for
>> trials. With all I found on this List the token works pretty well.
>>
>> SafeNet is ready to produce token already loaded with the Muscle Applet,
>> but they need the CAP file (only found an IJC file here). I am still not
>> able to get any, I need more time to build my own MUSCLE applet.
>>
>> I already posted some questions here, with no luck,
>> http://lists.drizzle.com/pipermail/muscle/2010-May/008319.html
>>
>> Regards,
>> Jon.
>>
>> Le 31/05/2010 17:41, João Poupino a écrit :
>>      
>>> Hi Heiko,
>>>
>>> I have had good results with the Muscle applet + the Aladdin eToken 72K (engineering). It is very fast (considerably faster than eToken 32K and 64K in my tests) and has been working just fine.
>>>
>>> Be warned that you must use the CCID driver from Aladdin, or enable a small change in opensc.conf for it to work flawlessly. According to Dr. Ludovic [1] , this token has some issues.
>>>
>>> The big challenge seems to get hold of the engineering version of the token. I have had the luck to get a token from an Aladdin representative, but I have not seen them at retail stores.
>>>
>>> Regards,
>>> João
>>>
>>> [1] - http://www.opensc-project.org/pipermail/opensc-devel/2009-April/012128.html
>>>
>>> On May 30, 2010, at 21:30, Heiko Baumann wrote:
>>>
>>>
>>>        
>>>> hi list,
>>>>
>>>> i am using aladdin etoken pro for years. first the 32k version and now the
>>>> 64k token. setup is easy with openct/opensc without any aladdin middleware
>>>> and it works great with openssh, openvpn and firefox. also pkcs11-data for
>>>> luks keys etc. is really great.
>>>>
>>>> now i've got an etoken pro 72k java because the cardos based tokens are
>>>> EOL. i searched the lists and from what i've read one needs an engineering
>>>> version of the token which allows to upload an compatible applet to (maybe)
>>>> get it working with openct/opensc without aladdin middleware.
>>>>
>>>> so i'm currently not sure if i should get one of the engineering 72k tokens
>>>> and give it a try or if there are other tokens which are plug and play just
>>>> like the cardos based aladdin tokens.
>>>>
>>>> are there any recommendations for good usb tokens wich works with
>>>> openct/opensc without proprietary middleware just like my 64k etoken?
>>>>
>>>> regards
>>>> heiko
>>>> _______________________________________________
>>>> opensc-user mailing list
>>>> [hidden email]
>>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>>
>>>>          
>>> _______________________________________________
>>> opensc-user mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>
>>>        
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>      
>    
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Jean-Michel Pouré - GOOZE
In reply to this post by Heiko Baumann-3
On Sun, 2010-05-30 at 22:30 +0200, Heiko Baumann wrote:
> are there any recommendations for good usb tokens wich works with
> openct/opensc without proprietary middleware just like my 64k etoken?

Gooze will soon be releasing Feitian token, which OpenSC pcsc+libccid
(OpenCT not needed). I am still validating the token before ordering
them.

If you can wait 2 weeks maximum, I will be able to deliver them in
quantity and fast shipping.

--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

João Poupino-4
In reply to this post by Jonathan SEMCZYK
Well, my personal experience with the eToken 72K has been very positive. That I can say.

You could go the eToken 72K route now - and it will probably work fine for you - but in the future, you may have issues with OpenSC because we may change stuff that will break current cards loaded with the Muscle applet. This will not be very nice, especially since SafeNet will make the applet permanent on the card...

You could also explore the suggestions given by Andreas and Jean-Michel. Jean-Michel seems very active in supporting the tokens sold by Gooze.

Joao

P.S. - I'm not affiliated with Aladdin/SafeNet nor Gooze :)

On Jun 1, 2010, at 9:11, Jonathan SEMCZYK wrote:

> Hi Joao,
>
> Thanks for your feedback.
>
> I like those eToken, I found them pretty small and you cannot open the token without breaking it.
>
> The thing with SafeNet is that they are only allowed to sell locked tokens (engineering are for development use only, you can get only few samples). If the Applet changes I will not be able to reload it myself. And I'll probably have to buy new tokens.
> Our reseller can sell us a basic pack of 10 tokens, not very expensive, around 30 euros the token.
>
> For now we will start with a bunch of eTokens and, after some time, try some other more. Like Heiko I am interested if anyone has a good experience with USB Tokens.
>
> Regards,
> Jon.
>
> Le 31/05/2010 19:25, João Poupino a écrit :
>> IMHO, the MuscleApplet is not quite ready for massive production deployment yet. It is being actively improved upon, and at this time, key ideas are still being discussed. We believe it could play an important role with Javacards, but not in its current state, mainly because there are ideas that should solidify first. This will probably imply changes to both the applet and OpenSC.
>>
>> Again, this is just my humble opinion. Martin, who has recently been the main driving force behind the evolution of the Muscle applet, should chime in on the matter and give us his insight :)
>>
>> In the meanwhile, you can find a CAP file and a summary of some of the ideas being discussed in [1].
>>
>> Best regards and good luck,
>> Joao
>>
>> [1] - http://www.opensc-project.org/opensc/wiki/MuscleApplet
>>
>>
>> On May 31, 2010, at 18:00, Jonathan SEMCZYK wrote:
>>
>>  
>>> Hi all,
>>>
>>> From a French reseller I was able to get in touch with a SafeNet
>>> representative. They sent me 2 engineering version of the token for
>>> trials. With all I found on this List the token works pretty well.
>>>
>>> SafeNet is ready to produce token already loaded with the Muscle Applet,
>>> but they need the CAP file (only found an IJC file here). I am still not
>>> able to get any, I need more time to build my own MUSCLE applet.
>>>
>>> I already posted some questions here, with no luck,
>>> http://lists.drizzle.com/pipermail/muscle/2010-May/008319.html
>>>
>>> Regards,
>>> Jon.
>>>
>>> Le 31/05/2010 17:41, João Poupino a écrit :
>>>    
>>>> Hi Heiko,
>>>>
>>>> I have had good results with the Muscle applet + the Aladdin eToken 72K (engineering). It is very fast (considerably faster than eToken 32K and 64K in my tests) and has been working just fine.
>>>>
>>>> Be warned that you must use the CCID driver from Aladdin, or enable a small change in opensc.conf for it to work flawlessly. According to Dr. Ludovic [1] , this token has some issues.
>>>>
>>>> The big challenge seems to get hold of the engineering version of the token. I have had the luck to get a token from an Aladdin representative, but I have not seen them at retail stores.
>>>>
>>>> Regards,
>>>> João
>>>>
>>>> [1] - http://www.opensc-project.org/pipermail/opensc-devel/2009-April/012128.html
>>>>
>>>> On May 30, 2010, at 21:30, Heiko Baumann wrote:
>>>>
>>>>
>>>>      
>>>>> hi list,
>>>>>
>>>>> i am using aladdin etoken pro for years. first the 32k version and now the
>>>>> 64k token. setup is easy with openct/opensc without any aladdin middleware
>>>>> and it works great with openssh, openvpn and firefox. also pkcs11-data for
>>>>> luks keys etc. is really great.
>>>>>
>>>>> now i've got an etoken pro 72k java because the cardos based tokens are
>>>>> EOL. i searched the lists and from what i've read one needs an engineering
>>>>> version of the token which allows to upload an compatible applet to (maybe)
>>>>> get it working with openct/opensc without aladdin middleware.
>>>>>
>>>>> so i'm currently not sure if i should get one of the engineering 72k tokens
>>>>> and give it a try or if there are other tokens which are plug and play just
>>>>> like the cardos based aladdin tokens.
>>>>>
>>>>> are there any recommendations for good usb tokens wich works with
>>>>> openct/opensc without proprietary middleware just like my 64k etoken?
>>>>>
>>>>> regards
>>>>> heiko
>>>>> _______________________________________________
>>>>> opensc-user mailing list
>>>>> [hidden email]
>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>>>
>>>>>        
>>>> _______________________________________________
>>>> opensc-user mailing list
>>>> [hidden email]
>>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>>
>>>>      
>>> _______________________________________________
>>> opensc-user mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>    
>>  

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Martin Paljak-2
Hello,

On Jun 1, 2010, at 12:50 , João Poupino wrote:

> You could go the eToken 72K route now - and it will probably work fine for you - but in the future, you may have issues with OpenSC because we may change stuff that will break current cards loaded with the Muscle applet. This will not be very nice, especially since SafeNet will make the applet permanent on the card...
The best of course would be to get clean engineering version tokens, which will leave you the freedom of managing your tokens the full cycle.

> On Jun 1, 2010, at 9:11, Jonathan SEMCZYK wrote:
>>
>> I like those eToken, I found them pretty small and you cannot open the token without breaking it.
True, the same reason why I like actual tokens not the sim+adapter solution. For example there's the real "will it survive in a keyring, in the pocket" test which good tokens survive without problems.



>>
>> The thing with SafeNet is that they are only allowed to sell locked tokens (engineering are for development use only, you can get only few samples). If the Applet changes I will not be able to reload it myself. And I'll probably have to buy new tokens.
>> Our reseller can sell us a basic pack of 10 tokens, not very expensive, around 30 euros the token.

They can sell customized tokens in batches of 10 if you send them a cap file? 10 tokens 300 euros? OK.

>>
>> Le 31/05/2010 19:25, João Poupino a écrit :
>>> IMHO, the MuscleApplet is not quite ready for massive production deployment yet. It is being actively improved upon, and at this time, key ideas are still being discussed. We believe it could play an important role with Javacards, but not in its current state, mainly because there are ideas that should solidify first. This will probably imply changes to both the applet and OpenSC.
>>>
>>> Again, this is just my humble opinion. Martin, who has recently been the main driving force behind the evolution of the Muscle applet, should chime in on the matter and give us his insight :)
>>>
>>> In the meanwhile, you can find a CAP file and a summary of some of the ideas being discussed in [1].

I expanded the page with some more information and personal observations. Maybe a philosophical explanation why JavaCards are (IMHO) good and somewhat superior to "vendor cards" (they won't be "discontinued" in the same manner, you have full control and open source software  on the card side as well, you can create flexible and innovative features etc)  should be written as well.
Right now I'm trying to get a in-house "upgrade" (or downgrade, depends on your viewpoint) of the MuscleApplet cleaned to a state where it could be pushed to github. The "problem" of OpenSC is that it is hard to find a good balance between "works well for me" and "works well in an universal way", which means that generalizing special handling is difficult.

The important part is that MuscleApplet is not a static card, meaning "here is the applet, it is frozen, we have support for it in OpenSC, nothing else to do now" but it should be brought up to date as well, and evolve with OpenSC (or other tools) as the muscle framework, as was correctly noted before, is almost dead these days, without major systematic improvements in past years.

If there are people out there who would be interested in trying it out and helping out, I can send a free JavaCard to people interested in development and/or testing. It might require a little bit deeper knowledge of the smart card field and it might not be an easy ride in the beginning, but I'm sure that in the long run it is a very viable and good option.

--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Jean-Michel Pouré - GOOZE
In reply to this post by Heiko Baumann-3
On Sun, 2010-05-30 at 22:30 +0200, Heiko Baumann wrote:
> are there any recommendations for good usb tokens wich works with
> openct/opensc without proprietary middleware just like my 64k etoken?

Just a quick note that we ordered the Feitian PKI token, which is a
combination of Feitian PKI and R-301 reader, with pcsc+ccid support. No
OpenCT or any ifhandler needed. The token may require a firmware upgrade
in the future, as it is a brand new product. We will only have 20 in
stock and we will receive the token within a week.

Kind regards,
--
                      GOOZE - http://www.gooze.eu
                   High quality cryptographic tools
                  for GNU/Linux, Mac OS X and Windows
                     including the FEITIAN PKI card
                31 avenue Lucien René Duchesne - Bât. 11
                  78170 LA CELLE-SAINT-CLOUD - FRANCE
       Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 27 87 52 38
                          SIRET 51090831200018

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Heiko Baumann-3
In reply to this post by João Poupino-4

hi joao,

thanks for this infos.

just to make sure I have understood everything correctly:

the etoken 72k engineering version is not for retail/mass market and not
sold in a normal shop.
the "normal" version comes preloaded with an applet from aladdin. so it is
not possible to use it without proprietary middleware.
there are resellers who are allowed to sell customized tokens if you send
them an applet.
but if opensc or the muscle applet changes, the tokens may not work anymore
(with a new opensc version) so one needs to buye a new token or find
someone/a way to replace the applet.
there are issues with pcscd so i have to use the CCID or use the
"connect_reset = false" workaround.


so if i would go the 72k route and do not update to a new (maybe
incompatible) opensc version everything would be fine?

does the "connect_reset = false" workaround have any known drawbacks?


if you talk about the tokens sold by Gooze do you mean the "Gemalto USB
Shell V2"?

do you have a link to Gooze? google found nothing useful for "gooze". if
it's not okay to send this link to this list please send it via private
mail. :)

thanks a lot for your help!

regards
heiko

On Tue, 1 Jun 2010 10:50:43 +0100, João Poupino <[hidden email]>
wrote:
> Well, my personal experience with the eToken 72K has been very positive.
> That I can say.
>
> You could go the eToken 72K route now - and it will probably work fine
for

> you - but in the future, you may have issues with OpenSC because we may
> change stuff that will break current cards loaded with the Muscle applet.
> This will not be very nice, especially since SafeNet will make the applet
> permanent on the card...
>
> You could also explore the suggestions given by Andreas and Jean-Michel.
> Jean-Michel seems very active in supporting the tokens sold by Gooze.
>
> Joao
>
> P.S. - I'm not affiliated with Aladdin/SafeNet nor Gooze :)
>
> On Jun 1, 2010, at 9:11, Jonathan SEMCZYK wrote:
>
>> Hi Joao,
>>
>> Thanks for your feedback.
>>
>> I like those eToken, I found them pretty small and you cannot open the
>> token without breaking it.
>>
>> The thing with SafeNet is that they are only allowed to sell locked
>> tokens (engineering are for development use only, you can get only few
>> samples). If the Applet changes I will not be able to reload it myself.
>> And I'll probably have to buy new tokens.
>> Our reseller can sell us a basic pack of 10 tokens, not very expensive,
>> around 30 euros the token.
>>
>> For now we will start with a bunch of eTokens and, after some time, try
>> some other more. Like Heiko I am interested if anyone has a good
>> experience with USB Tokens.
>>
>> Regards,
>> Jon.
>>
>> Le 31/05/2010 19:25, João Poupino a écrit :
>>> IMHO, the MuscleApplet is not quite ready for massive production
>>> deployment yet. It is being actively improved upon, and at this time,
>>> key ideas are still being discussed. We believe it could play an
>>> important role with Javacards, but not in its current state, mainly
>>> because there are ideas that should solidify first. This will probably
>>> imply changes to both the applet and OpenSC.
>>>
>>> Again, this is just my humble opinion. Martin, who has recently been
the

>>> main driving force behind the evolution of the Muscle applet, should
>>> chime in on the matter and give us his insight :)
>>>
>>> In the meanwhile, you can find a CAP file and a summary of some of the
>>> ideas being discussed in [1].
>>>
>>> Best regards and good luck,
>>> Joao
>>>
>>> [1] - http://www.opensc-project.org/opensc/wiki/MuscleApplet
>>>
>>>
>>> On May 31, 2010, at 18:00, Jonathan SEMCZYK wrote:
>>>
>>>  
>>>> Hi all,
>>>>
>>>> From a French reseller I was able to get in touch with a SafeNet
>>>> representative. They sent me 2 engineering version of the token for
>>>> trials. With all I found on this List the token works pretty well.
>>>>
>>>> SafeNet is ready to produce token already loaded with the Muscle
>>>> Applet,
>>>> but they need the CAP file (only found an IJC file here). I am still
>>>> not
>>>> able to get any, I need more time to build my own MUSCLE applet.
>>>>
>>>> I already posted some questions here, with no luck,
>>>> http://lists.drizzle.com/pipermail/muscle/2010-May/008319.html
>>>>
>>>> Regards,
>>>> Jon.
>>>>
>>>> Le 31/05/2010 17:41, João Poupino a écrit :
>>>>    
>>>>> Hi Heiko,
>>>>>
>>>>> I have had good results with the Muscle applet + the Aladdin eToken
>>>>> 72K (engineering). It is very fast (considerably faster than eToken
>>>>> 32K and 64K in my tests) and has been working just fine.
>>>>>
>>>>> Be warned that you must use the CCID driver from Aladdin, or enable a
>>>>> small change in opensc.conf for it to work flawlessly. According to
>>>>> Dr. Ludovic [1] , this token has some issues.
>>>>>
>>>>> The big challenge seems to get hold of the engineering version of the
>>>>> token. I have had the luck to get a token from an Aladdin
>>>>> representative, but I have not seen them at retail stores.
>>>>>
>>>>> Regards,
>>>>> João
>>>>>
>>>>> [1] -
>>>>>
http://www.opensc-project.org/pipermail/opensc-devel/2009-April/012128.html

>>>>>
>>>>> On May 30, 2010, at 21:30, Heiko Baumann wrote:
>>>>>
>>>>>
>>>>>      
>>>>>> hi list,
>>>>>>
>>>>>> i am using aladdin etoken pro for years. first the 32k version and
>>>>>> now the
>>>>>> 64k token. setup is easy with openct/opensc without any aladdin
>>>>>> middleware
>>>>>> and it works great with openssh, openvpn and firefox. also
>>>>>> pkcs11-data for
>>>>>> luks keys etc. is really great.
>>>>>>
>>>>>> now i've got an etoken pro 72k java because the cardos based tokens
>>>>>> are
>>>>>> EOL. i searched the lists and from what i've read one needs an
>>>>>> engineering
>>>>>> version of the token which allows to upload an compatible applet to
>>>>>> (maybe)
>>>>>> get it working with openct/opensc without aladdin middleware.
>>>>>>
>>>>>> so i'm currently not sure if i should get one of the engineering 72k
>>>>>> tokens
>>>>>> and give it a try or if there are other tokens which are plug and
>>>>>> play just
>>>>>> like the cardos based aladdin tokens.
>>>>>>
>>>>>> are there any recommendations for good usb tokens wich works with
>>>>>> openct/opensc without proprietary middleware just like my 64k
etoken?

>>>>>>
>>>>>> regards
>>>>>> heiko
>>>>>> _______________________________________________
>>>>>> opensc-user mailing list
>>>>>> [hidden email]
>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>>>>
>>>>>>        
>>>>> _______________________________________________
>>>>> opensc-user mailing list
>>>>> [hidden email]
>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>>>
>>>>>      
>>>> _______________________________________________
>>>> opensc-user mailing list
>>>> [hidden email]
>>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>>    
>>>  
>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Andreas Jellinghaus-2
In reply to this post by Andreas Jellinghaus-2
Am Sonntag 13 Juni 2010, um 13:58:19 schrieb Heiko Baumann:
> hi andreas,
>
> thanks for this info.
>
> do you know if this reader and a CardOS M4 smart card can be initialized
> like the etoken pro 64k?:-)
Warten wir dochmal eine grace period ab. Zum Schluss muss Christian
Hüttermann entscheiden, wie er da weiter machen will. Ich habe nur eine
Frage beantwortet und eine seit gut 10 Jahren bestehende Bereitschaft
neu formuliert :-)

Ich werde da niemanden zum Jagen tragen.

Vielleicht ist die Zeit einer special purpose Site "linux.de" schon genauso
vorbei wie "fliessend-wasser.de" und "strom-aus-der-steckdose.de" :-)

Viele Grüße - Johannes

yes, the same smart card is inside both, so there is no difference.

and to my knowledge the reader works fine with openct, if you
prefer openct over pcsc-lite + ccid.

> and does it work with just openct/opensc (without pcscd)? i am using an
> modified initramfs on gentoo linux to read my luks passphrase from the
> etoken on boot so everything except my /boot partition is crypted with
> luks. the passphrase is read with pkcs11-data. so it would be great if the
> gemalto reader/smart card would work like this :)

sorry, I can't help with gentoo or pkcs11-data or luks, but I guess
those work with openct/opensc. if not, please contact those projects.
also no idea about "modified initramfs" - but I always had great
success using standard binaries in initramfs files (i.e. no special
libc or compiler options or other strangeness).

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Jean-Michel Pouré - GOOZE
In reply to this post by Heiko Baumann-3
On Sun, 2010-06-13 at 15:15 +0200, Heiko Baumann wrote:
>
> do you have a link to Gooze? google found nothing useful for "gooze".
> if
> it's not okay to send this link to this list please send it via
> private
> mail. :)

Here it is:
http://www.gooze.eu/feitian-pki-usb-token

--
                      GOOZE - http://www.gooze.eu
                   High quality cryptographic tools
                  for GNU/Linux, Mac OS X and Windows
                     including the FEITIAN PKI card
                31 avenue Lucien René Duchesne - Bât. 11
                  78170 LA CELLE-SAINT-CLOUD - FRANCE
       Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 27 87 52 38
                          SIRET 51090831200018

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Martin Paljak-2
In reply to this post by Heiko Baumann-3
On Jun 13, 2010, at 16:15 , Heiko Baumann wrote:
> just to make sure I have understood everything correctly:
>
> the etoken 72k engineering version is not for retail/mass market and not
> sold in a normal shop.
> the "normal" version comes preloaded with an applet from aladdin. so it is
> not possible to use it without proprietary middleware.
> there are resellers who are allowed to sell customized tokens if you send
> them an applet.
Above seems to be indeed the way you described.

> but if opensc or the muscle applet changes, the tokens may not work anymore
> (with a new opensc version) so one needs to buye a new token or find
> someone/a way to replace the applet.
> there are issues with pcscd so i have to use the CCID or use the
> "connect_reset = false" workaround.
>
>
> so if i would go the 72k route and do not update to a new (maybe
> incompatible) opensc version everything would be fine?
Yes. The problem with Muscle applet is that even though there's just a single support driver for it in OpenSC, the applet itself can reside in different cards and can be compiled with different options. So basically the same way there are different versions of proprietary card COS-s, which require different drivers in OpenSC, there can be different versions of the Muscle Applet.

It should be a priority to freece the (currently pretty frozen) Muscle Applet driver (Added API version check) but you will probably not be able to make use of improvements that can happen on the applet side.

Keeping OpenSC compatible with existing cards is a priority.





> does the "connect_reset = false" workaround have any known drawbacks?
I don't know of real issues, the card should be loggd out when it is disconnected so leaving it without reset should have no consequences.



> if you talk about the tokens sold by Gooze do you mean the "Gemalto USB
> Shell V2"?
Don't think so, it should be a feitian reader.



--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

João Poupino-4
In reply to this post by Heiko Baumann-3
Hi,

On Jun 13, 2010, at 14:15, Heiko Baumann wrote:

>
> hi joao,
>
> thanks for this infos.
>
> just to make sure I have understood everything correctly:
>
> the etoken 72k engineering version is not for retail/mass market and not
> sold in a normal shop.
> the "normal" version comes preloaded with an applet from aladdin. so it is
> not possible to use it without proprietary middleware.
> there are resellers who are allowed to sell customized tokens if you send
> them an applet.

Yes, this is my understanding.

> but if opensc or the muscle applet changes, the tokens may not work anymore
> (with a new opensc version) so one needs to buye a new token or find
> someone/a way to replace the applet.

Well, possibly. Probably compatibility would be maintained with the "old" driver, and the new version would require a muscleV2 driver. Worst case scenario, it won't work with newer versions of OpenSC; best case scenario, it will :)

> there are issues with pcscd so i have to use the CCID or use the
> "connect_reset = false" workaround.
>

This happens with at least with my token. Don't know if it affects all tokens.
>
> so if i would go the 72k route and do not update to a new (maybe
> incompatible) opensc version everything would be fine?

It should. But a newer version could have some important security fix, and not updating could be bad policy.

>
> does the "connect_reset = false" workaround have any known drawbacks?

This is only needed if you're using the open source CCID driver. In Windows (with Windows' own CCID driver) and with Aladdin's driver, it works.
Regarding the drawbacks, maybe someone on the list could explain the implications.

>
>
> if you talk about the tokens sold by Gooze do you mean the "Gemalto USB
> Shell V2"?
>
> do you have a link to Gooze? google found nothing useful for "gooze". if
> it's not okay to send this link to this list please send it via private
> mail. :)

See Jean-Michel's reply earlier.

>
> thanks a lot for your help!
>

Anytime.

Regards,
Joao

> regards
> heiko
>



> On Tue, 1 Jun 2010 10:50:43 +0100, João Poupino <[hidden email]>
> wrote:
>> Well, my personal experience with the eToken 72K has been very positive.
>> That I can say.
>>
>> You could go the eToken 72K route now - and it will probably work fine
> for
>> you - but in the future, you may have issues with OpenSC because we may
>> change stuff that will break current cards loaded with the Muscle applet.
>> This will not be very nice, especially since SafeNet will make the applet
>> permanent on the card...
>>
>> You could also explore the suggestions given by Andreas and Jean-Michel.
>> Jean-Michel seems very active in supporting the tokens sold by Gooze.
>>
>> Joao
>>
>> P.S. - I'm not affiliated with Aladdin/SafeNet nor Gooze :)
>>
>> On Jun 1, 2010, at 9:11, Jonathan SEMCZYK wrote:
>>
>>> Hi Joao,
>>>
>>> Thanks for your feedback.
>>>
>>> I like those eToken, I found them pretty small and you cannot open the
>>> token without breaking it.
>>>
>>> The thing with SafeNet is that they are only allowed to sell locked
>>> tokens (engineering are for development use only, you can get only few
>>> samples). If the Applet changes I will not be able to reload it myself.
>>> And I'll probably have to buy new tokens.
>>> Our reseller can sell us a basic pack of 10 tokens, not very expensive,
>>> around 30 euros the token.
>>>
>>> For now we will start with a bunch of eTokens and, after some time, try
>>> some other more. Like Heiko I am interested if anyone has a good
>>> experience with USB Tokens.
>>>
>>> Regards,
>>> Jon.
>>>
>>> Le 31/05/2010 19:25, João Poupino a écrit :
>>>> IMHO, the MuscleApplet is not quite ready for massive production
>>>> deployment yet. It is being actively improved upon, and at this time,
>>>> key ideas are still being discussed. We believe it could play an
>>>> important role with Javacards, but not in its current state, mainly
>>>> because there are ideas that should solidify first. This will probably
>>>> imply changes to both the applet and OpenSC.
>>>>
>>>> Again, this is just my humble opinion. Martin, who has recently been
> the
>>>> main driving force behind the evolution of the Muscle applet, should
>>>> chime in on the matter and give us his insight :)
>>>>
>>>> In the meanwhile, you can find a CAP file and a summary of some of the
>>>> ideas being discussed in [1].
>>>>
>>>> Best regards and good luck,
>>>> Joao
>>>>
>>>> [1] - http://www.opensc-project.org/opensc/wiki/MuscleApplet
>>>>
>>>>
>>>> On May 31, 2010, at 18:00, Jonathan SEMCZYK wrote:
>>>>
>>>>
>>>>> Hi all,
>>>>>
>>>>> From a French reseller I was able to get in touch with a SafeNet
>>>>> representative. They sent me 2 engineering version of the token for
>>>>> trials. With all I found on this List the token works pretty well.
>>>>>
>>>>> SafeNet is ready to produce token already loaded with the Muscle
>>>>> Applet,
>>>>> but they need the CAP file (only found an IJC file here). I am still
>>>>> not
>>>>> able to get any, I need more time to build my own MUSCLE applet.
>>>>>
>>>>> I already posted some questions here, with no luck,
>>>>> http://lists.drizzle.com/pipermail/muscle/2010-May/008319.html
>>>>>
>>>>> Regards,
>>>>> Jon.
>>>>>
>>>>> Le 31/05/2010 17:41, João Poupino a écrit :
>>>>>
>>>>>> Hi Heiko,
>>>>>>
>>>>>> I have had good results with the Muscle applet + the Aladdin eToken
>>>>>> 72K (engineering). It is very fast (considerably faster than eToken
>>>>>> 32K and 64K in my tests) and has been working just fine.
>>>>>>
>>>>>> Be warned that you must use the CCID driver from Aladdin, or enable a
>>>>>> small change in opensc.conf for it to work flawlessly. According to
>>>>>> Dr. Ludovic [1] , this token has some issues.
>>>>>>
>>>>>> The big challenge seems to get hold of the engineering version of the
>>>>>> token. I have had the luck to get a token from an Aladdin
>>>>>> representative, but I have not seen them at retail stores.
>>>>>>
>>>>>> Regards,
>>>>>> João
>>>>>>
>>>>>> [1] -
>>>>>>
> http://www.opensc-project.org/pipermail/opensc-devel/2009-April/012128.html
>>>>>>
>>>>>> On May 30, 2010, at 21:30, Heiko Baumann wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> hi list,
>>>>>>>
>>>>>>> i am using aladdin etoken pro for years. first the 32k version and
>>>>>>> now the
>>>>>>> 64k token. setup is easy with openct/opensc without any aladdin
>>>>>>> middleware
>>>>>>> and it works great with openssh, openvpn and firefox. also
>>>>>>> pkcs11-data for
>>>>>>> luks keys etc. is really great.
>>>>>>>
>>>>>>> now i've got an etoken pro 72k java because the cardos based tokens
>>>>>>> are
>>>>>>> EOL. i searched the lists and from what i've read one needs an
>>>>>>> engineering
>>>>>>> version of the token which allows to upload an compatible applet to
>>>>>>> (maybe)
>>>>>>> get it working with openct/opensc without aladdin middleware.
>>>>>>>
>>>>>>> so i'm currently not sure if i should get one of the engineering 72k
>>>>>>> tokens
>>>>>>> and give it a try or if there are other tokens which are plug and
>>>>>>> play just
>>>>>>> like the cardos based aladdin tokens.
>>>>>>>
>>>>>>> are there any recommendations for good usb tokens wich works with
>>>>>>> openct/opensc without proprietary middleware just like my 64k
> etoken?
>>>>>>>
>>>>>>> regards
>>>>>>> heiko
>>>>>>> _______________________________________________
>>>>>>> opensc-user mailing list
>>>>>>> [hidden email]
>>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> opensc-user mailing list
>>>>>> [hidden email]
>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> opensc-user mailing list
>>>>> [hidden email]
>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-user
>>>>>
>>>>
>>
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-user

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: which usb token is best for openct/opensc usage

Jean-Michel Pouré - GOOZE
In reply to this post by Heiko Baumann-3
On Sun, 2010-06-13 at 15:15 +0200, Heiko Baumann wrote:
> do you have a link to Gooze? google found nothing useful for "gooze".
> if
> it's not okay to send this link to this list please send it via
> private
> mail. :)

Here is the direct link to the Feitian PKI USB token:
http://www.gooze.eu/feitian-pki-usb-token

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user