[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keychain and Smart card

Subject: Re: Keychain and Smart card
From: Ken McLeod <email@hidden>
Date: Thu, 12 Jan 2006 15:29:55 -0800
Delivered-to: email@hidden
Delivered-to: email@hidden


On Jan 12, 2006, at 7:27 AM, Will Hickie wrote:

Ben,
What do you mean by Virtual Card? How are you planning on getting a TokenD to work with a virtual card? :D

Will


What Will said. :-)

A "virtual" token is certainly an interesting idea, but you currently need a real card inserted to drive the process of getting a tokend loaded. Security and PCSC and the card reader's driver interact to determine which tokend to invoke. Your tokend's code won't ever be called unless the PCSC driver reports that a card insertion occurred.

-k

At 1:06 AM -0500 1/12/06, Ben Zhu wrote:
Ken.
Great comments!
Follow up, questions on the following comments.
In the case where the key is on a smartcard, the appropriate tokend
module's callback function will be invoked to perform the operation.
How securityd recognizes if a key is on a smartcard or in a
file-based keychain? Is there a flag can be set for a key to tell this?

There are a number of callback functions that a tokend module must provide. securityd will call your tokend's provided callbacks to read the contents of the card, sign or encrypt data, change the card's PIN, and so on. You don't have to actually perform an operation with the card, of course... you're free to tell the world "this card contains a private key named 'foo'", and when securityd calls you to sign data with that private key, you can actually go off and have the data signed on a server (while pretending the card performed the operation), then hand the signed data back to the caller.

Yes. This is really what I want.
Yes, if you can require the user to insert a smartcard which is managed by your tokend module. As I suggested above, when your module is asked to perform cryptographic operations, you can handle in whatever way you like, such as communicating with a server to do the actual work.

I don't understand why we have to insert a smartcard. If we can
create a "virtual card" to mimic a real smartcard behavior, a tokend
module, I mean my >>> tokend, to manage this "virtual card" should be
fine. As you said, the tokend definitely needs to "provide" all the
cryptographic function that
securityd requires.
You won't be able to simply store a dummy key in a normal file-based keychain, because then any cryptographic operations for that key will be handled by the Apple CSP/DL.

I agree. So do I still need create a keychain? Yes, the path should
point to the "virtual card", right?
Thanks a lot,
Ben
_______________________________________________ Do not post admin requests to the list. They will be ignored. Apple-cdsa mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/apple-cdsa/will.hickie% 40hisc.com

This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden

This email sent to email@hidden

References:
	>RE: Keychain and Smart card (From: "Ben Zhu" <email@hidden>)
	>RE: Keychain and Smart card (From: Will Hickie <email@hidden>)

Prev by Date: Re: SSL certs and authentication ... again
Next by Date: Re: More Sec* callback problems
Previous by thread: RE: Keychain and Smart card
Next by thread: Trust Policy Modules
Index(es):
- Date
- Thread

Home