[Freeipa-devel] Fwd: access control in PCSC - does it apply to PKCS#11?

Jan Cholasta jcholast at redhat.com
Fri Feb 28 10:09:07 UTC 2014 

Hi,

On 28.2.2014 10:11, Petr Spacek wrote:
> Hello list,
>
> Proposal for access control related to PC/SC smart cards follows.
>
> I have no idea if it applies to PKCS#11 or not but I think somebody
> knowledgeable in this area should look into it ...
>
> I'm sorry Honza :-)

Don't be, this seems to be related to PKCS#15 and PC/SC daemon only, 
neither of which are we going to interact with whatsoever (correct me if 
I'm wrong).

>
> Petr^2 Spacek
>
> -------- Original Message --------
> Subject: F21 System Wide Change: Access control in PCSC
> Date: Thu, 27 Feb 2014 16:59:14 +0100
> From: Jaroslav Reznik <jreznik at redhat.com>
> Reply-To: devel at lists.fedoraproject.org
> Organization: Red Hat, Inc.
> To: devel-announce at lists.fedoraproject.org
>
> = Proposed System Wide Change: Access control in PCSC =
> https://fedoraproject.org/wiki/Changes/PcscAccessControl
>
> Change owner(s): Nikos Mavrogiannopoulos <nmav at redhat.com>
>
> Add access control to PC/SC smart cards available in the system. Adding
> access
> control would (a) prevent unauthorized processes/users from reading data
> on a
> smart card, (b) prevent unauthorized processes/users from erasing a smart
> card, (c) prevent unauthorized processes/users from talking to the smart
> card
> firmware.
>
> == Detailed Description  ==
> Add access control to PC/SC smart cards available in the system. Currently
> smart cards may provide their own access control for certain elements of a
> card such as a private key. Their access control method is typically a PIN,
> but can also be a biometric based one. That however, is not sufficient to
> prevent certain actions on the non-PIN protected elements. For example
> cards
> that provide a PKCS #15 filesystem can be modified by anyone that has
> access in
> the system (e.g., erased using pkcs15-init -E).
>
> The default settings allowed should be similar to the default settings for
> hard disks, i.e., root and the user in console should be able to access the
> smart card.
>
> Adding access control would
> * prevent unauthorized processes/users from reading data on a smart card
> * prevent unauthorized processes/users from erasing a smart card
> * prevent unauthorized processes/users from talking to the smart card
> firmware
>
> The way access control will be implemented is using polkit which is already
> being used to control access to hard disks. As smart cards share a lot with
> hard disks (e.g., a filesystem, and are inserted by the console user),
> sharing
> the same access control method is beneficial.
>
> == Scope ==
> polkit support has to be added to PC/SC daemon. An initial version has
> already
> been developed and communicated upstream
>
> * Proposal owners: The polkit support has to be merged with the Fedora
> package. That requires changes to the pcsc daemon only, but indirectly all
> packages that potentially may use smart cards are affected (opensc,
> firefox,
> ...).
>
> * Other developers: Packages that use PC/SC smart cards must be checked
> that
> they work as expected after the access control change.
>
> * Release engineering:  No coordination is required.
>
> * Policies and guidelines: If there is any security policy documentation
> should be updated to include the new policies on smart cards (I couldn't
> find
> any such documentation though)


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list