KDE and smartcard support

Alon Bar-Lev alon.barlev at gmail.com
Wed May 23 01:15:12 BST 2007


On 5/23/07, Thiago Macieira <thiago at kde.org> wrote:
> Again, this is a broad and baseless statement. You're assuming that the Qt
> 4.3 release will mark the end of QSslSocket development, which is plainly
> not true. Are you saying that QCA is now deep frozen and will not add any
> new features either?

>From his description, they won't add hardware cryptography... They see
PKI as TLS/SSL only issue and not as it should be.
We need cryptography library for smartcard authentication,
encryption/decryption, signature/verification and all with software
based and hardware based keys.
But I promised not to bother you with this :)

> I agree with you that we need to understand what our user (where user =
> application authors) requirements are. I have not done such an analysis.
> If you have (and I assume you have, because you're being quite insistent
> on the requirements), please share with us.

user=application author
This is unique approach :)

I know what:
user=end user
Requirements are...

User got his national id card, this card contain minimum two
certificates and corresponding private keys. One for authentication
and one for signature.

The user wish to authenticate himself to the bank web site, he should
do so using TLS protocol, and prove his identity using the
authentication certificate/key which is located on his smartcard,
these cannot be exported to software store, so the TLS implementation
must support external key operations.

If the user already have a smartcard with authentication certificate,
why can't he use it in order to authenticate himself to kdm? Just like
Windows smartcard logon, the user will insert his smartcard, type his
passphrase and walla, he is in.

If the user have a decryption certificate, he can also encrypt all
kwallet data, so that they cannot be decrypted without his smartcard.

I leave kmail out for now.

Now for the developers...

TLS/SSL - The whole negotiation should be transparent, if a client
certificate is requested, the KDE framework should enumerate available
certificates (software and hardware), filter the list based on the
target web site chain, prompt the user to select the desired one,
handle passphrase prompt and token request prompt (if the token was
removed during session).

Data decryption/signature - The application should allow to select
decryption/signature certificate, when performing a decryption the
framework should handle the token prompt (if the token is not
available), passphrase prompt.

So basically we have three modes:

1. Enumerate objects at the time cryptographic operation is requested,
this suits interactive applications such as web browser.

2. Use preselected identity to perform signature/decryption.

3. Use dynamic slot events, perform some kind of operation when card
is insert/removed (kdm greeting/disconnect VPN).

If this what you expected, I will be glad to explain more... If this
is not, I will be grateful if you explain what you expect, it is very
important to me we all understand what proper smartcard integration
is.

Best Regards,
Alon Bar-Lev.




More information about the kde-core-devel mailing list