<p>Take the card home and use to access work data? Are you going to issue readers as well? Without a pin or something entered by the user there's no stopping a cloned or loaned card.</p>
<div class="gmail_quote">On Oct 6, 2011 9:46 PM, "Michael B. Trausch" <<a href="mailto:mike@trausch.us">mike@trausch.us</a>> wrote:<br type="attribution">> On Thu, Oct 06, 2011 at 06:52:43PM -0400, Michael H. Warfield wrote:<br>
>> On Thu, 2011-10-06 at 16:11 -0400, Michael Trausch wrote: <br>>> > Just to clarify, I am not specifically looking for an OpenPGP smartcard...<br>>> > anything that'll do for auth is fine.<br>
>><br>>> Hmmm...<br>>><br>>> I haven't quite done what you are looking to do but you might check<br>>> into the Aladdin eToken cards / tokens. They have Windows software<br>>> which I believe MIGHT do what you want to do but you'd have to buy<br>
>> that separately. You'll need their pkcs11 driver to make the token<br>>> work with NSS, ssh, pgp/gpg, and pam but it can be done. I've used<br>>> these with ssh (ssh-agent on Fedora has NSS integration and NSS<br>
>> handles the pkcs11 side of the house when used with ssh-agent).<br>>> I've seen some code which, I think, logs you in when you insert a<br>>> smart card and locks your screen when you pull it out but have had<br>
>> no experience with it. The pam_usb module does something similar<br>>> but just uses a plain ole usb memory card on which some sort of key<br>>> is simply stored for that.<br>> <br>> I would like something whre you can essentially lock the system, yes.<br>
> Well, actually, here is what I would _like_ to do, though I don't<br>> seriously know if this would be an attainable setup:<br>> <br>> * Be able to have my own CA (trusted roots aren't relevant here, I'd<br>
> be installing the root CA onto the systems I am managing).<br>> <br>> * Be able to use that CA to initialize a smart card, such that the<br>> smart card would be given to a person to use as their identity<br>
> card for network operations.<br>> <br>> * Be able to map a smart card's public key to a user, which is of<br>> course a prerequisite for everything else. In all probability<br>> this can easily be solved by using the CN field to indicate the<br>
> user's name and domain in email format.<br>> <br>> * Be able to use the card for networked workstation logins for<br>> specially configured computers on the business network.<br>> <br>> * Be able to use the card to gain access to mountable filesystems in<br>
> a secure manner for computers e.g., at home or other locations.<br>> Of course, when the card is removed the access to the filesystem<br>> should be revoked, it should become<br>> unmounted/disconnected/whatever.<br>
> <br>> * It should be possible to use that smart card with e.g., Firefox so<br>> that that identity card can go home with them, and they can gain<br>> access without a username and password to the company site(s).<br>
> <br>> * It should be possible to use that card to sign/encrypt mails<br>> "internally" (being a self-signed CA means that it wouldn't<br>> [rather, shouldn't] be used on the Internet, but interally the<br>
> cert can be validated); of course, we're talking about S/MIME<br>> here, because that's the only thing that works out of the box for<br>> all standard MUAs that I'm aware of (sorry, even though I am using<br>
> one right now, I don't consider terminal MUA to be standard<br>> anymore...)<br>> <br>> * It should be possible to do this regardless of the operating<br>> system on the client system. The card should be usable on<br>
> Windows, on OS X, and on Linux systems with a minimum of setup.<br>> <br>> * I don't want to know the private key. I don't want them to know<br>> the private key. I want to be able to provision a new card and<br>
> associate it with their user account with relative ease (and<br>> honestly, just signing their key with the CA would be sufficient<br>> for that, as long as they correctly format their user@domain.tld<br>
> when they create the CSR).<br>> <br>> * Also, I'd like it to be possible to have something better than a 4<br>> digit PIN on the stupid thing. I realize that many of the cards<br>> out there will burn themselves out (much like a SIM card does)<br>
> after a certain number of failed attempts, but that doesn't really<br>> mean much when people's 4-digit codes tend to be really<br>> predictable if you know the person for any length of time. Four<br>
> digit PIN numbers are evil. EVIL.<br>> <br>> Am I asking too much, do you think?<br>> <br>>> All that said... There are 2 types of Aladdin eToken cards.<br>>><br>>> There are the 72K (yes, I said "K" - you don't need much space for<br>
>> keys) Java tokens (smart cards in a USB format). These use their<br>>> Java cardlet to actually implement the crypto stuff in Java. They<br>>> reserve some of the space for updates to the Java cardlet so you<br>
>> really only have about 64K available on the card for keys (which can<br>>> store a couple dozen private keys - you don't store public keys or<br>>> whole certs on them). Those will run you in the $30-$40 range from<br>
>> CDW (<a href="http://cdw.com">cdw.com</a>). I've got a couple of those and don't really care for<br>>> them. People claim the Aladin middleware (which uses a proprietary<br>>> protocol to talk to the cardlet) is buggy and klunky.<br>
> <br>> Java. On a card. Sheesh.<br>> <br>> I must be missing something, though. How can you do authentication if<br>> there aren't any certificates involved, unless you are keeping a<br>> database with every single public key. I'd like to just sign a<br>
> certificate and they can present that client certificate (or use it in<br>> any other valid way, for that matter).<br>> <br>>> There are also 32K and 64K CardOS cards which are slightly more<br>>> expensive (about $45 each for the 64K units I just bought a month<br>
>> ago or so). They still require an Aladdin pkcs11 driver but you can<br>>> locate that on the net for download. I've used the 32K tokens in<br>>> the past with ssh. Just starting to play with my new 64K ones now.<br>
>> Last ALE meeting on ssh, I had a keyring full of these things. They<br>>> can be formatted for use directly with OpenCT but the format is not<br>>> compatible with the Aladdin format, which you would need for any<br>
>> Windows Software. There are guides on the net on setting them up<br>>> and getting them working with Linux.<br>> <br>> So... cross-platform compatibility is a pipe dream? In order to make<br>> it possible to use truly smart cards that never leak the private key,<br>
> I'd have to give 1 user multiple keys so that they could use the right<br>> type based on whatever operating system they're using?<br>> <br>> Perhaps I am seeing why these things aren't ubiquitous....<br>
> <br>>> I've also heard that they CAN BE formatted for OpenPGP but I've<br>>> never done it and don't know anyone who has, but you say that's not<br>>> important to you.<br>> <br>> It's not. I use OpenPGP when I think to set it up. I used to sign<br>
> all my mail... I don't anymore, because nobody cares. I used to<br>> encrypt mails that I sent out, but I often got the complaint that it<br>> was unreadable because keychains were lost or somesuch. And besides,<br>
> if I didn't sign it, one really cannot legally prove that I said it,<br>> at least with the way things sit at the moment (a federal court, if<br>> I'm not mistaken, recently ruled that an IP address alone is not good<br>
> enough to identify a user on the Internet, and so anything left is<br>> circumstantial... well, mostly, but I digress).<br>> <br>> If someone really wants me to put a fill-fledged digital signature on<br>> something, I will. But honestly, the last thing I used my PGP keys<br>
> for was to sign the last release tarball for AllTray.<br>> <br>> I would personally like something like a smart card that simply has a<br>> built-in reader, so that you can just plug it in. I don't want to see<br>
> its filesystem, I don't want access to the private key, I want it to<br>> expose the same sort of interface that the readers themselves do.<br>> Alas, I haven't found any of those yet, either.<br>> <br>
> And I still haven't got a bloody clue on how one would get anywhere<br>> close to started with provisioning the damn things.<br>> <br>> Maybe I'm not smart enough for this one... or maybe I need to invent<br>
> something that Just Works in a cross-platform manner? Yeah, like I<br>> have time for that...<br>> <br>> --- Mike<br>> _______________________________________________<br>> Ale mailing list<br>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>
</div>