[tor-dev] adding smartcard support to Tor

Evan Margin twim at riseup.net
Mon May 23 20:26:30 UTC 2016


Hello Donncha!

Donncha Ó Cearbhaill:
> However his code was integrating with a smartcard at a very low
> level by sending AT commands manually. I don't think that is the
> best approach for compatibility.
> 
> I think a better way would be to interface with the tokens via the 
> PKCS#11 protocol. The majority of smartcards and HSMs implement this
>  standard and there are compatible implementations available for most
>  operating systems. The Python pykcs11 module should be a helpful 
> start [1].

Yeah, interfacing smartcard directly or via GnuPG scdaemon is not the
best approach. But PKCS#11 in even worse. Much much worse. This standard
is so huge that noone can implement it right. It raises enterance
threshold so high that it will be used only by overproprietary entities.
OpenPGP Card spec is pretty small so that everyone can write code within
an hour and start to interface with a card. So did I. At least I know
what's going on under the hood and these transparency and simplicity
makes this setup more secure.

--
Ivan Markin


More information about the tor-dev mailing list