[Pcsclite-muscle] Reliable reader names

Thu Nov 30 08:04:04 PST 2023

Same here, what matters usually is keys/signatures/tokens, not the readers.
Both with many smart cards (up to 98 connected at the same) and with 
HSM-based solutions, I scan the "readers" at boot to look for the 
cryptographic tokens, with one caveat.

I stumbled on a HSM vendor whose token IDs may change in time, when 
creating new slot entries or removing some (the entries are software 
entries in the filesytem, how they are related to the HW is opaque, I 
think that the keys are encrypted in the filesystem and are loaded on 
the HSM when required).
Thankfully, in that specific case, the token labels were reliable and 
stable, so I had to count on labels instead of IDs, which is the 
opposite of what I can do with smart cards, that often (all) share the 
same label.

On 30/11/23 16:49, Sebastien Lorquet wrote:
> Hi,
> 
> Le 30/11/2023 à 15:54, Andreas Schwier a écrit :
>> We are using that to connect SmartCard-HSMs automatically to cloud 
>> services during system startup. Ideally we would spawn the connect 
>> process based on USB activation, but then we would need to bypass 
>> pcscd. Instead we create systemd units that connect a certain 
>> SmartCard-HSM with a specified URL. In the systemd unit we specify the 
>> reader name. 
> 
> The best option is not to do that. We have this exact situation at my 
> company and we dont have to deal with reader names, at all.
> 
> We just scan all readers and identify cards in them. We have some 
> polling in place to identify removal and insertion of new cards.
> 
> Identification is very easy to do in your case, since your know your 
> card and you can select proper probing commands (select application?) 
> instead of relying on the ATR.
> 
> This allows you to identify cards by serial number or other card 
> identifier, and use that in your config files and URLs. This has the 
> advantage of being completely independent of the reader, you can 
> identify the card in *any* reader.
> 
> This is a better technique, because what you care about are *cards* not 
> readers.
> 
> (When a reader contains an unknown card, or no card, just release the 
> reader so it can be used for something else.)
> 
> Sebastien
> 
> 
> _______________________________________________
> pcsclite-muscle mailing list
> pcsclite-muscle at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/pcsclite-muscle
> 
> -- 
> Questo messaggio e' stato analizzato con Libraesva ESG ed e' risultato 
> non infetto.
> Seguire il link qui sotto per segnalarlo come spam: 
> https://esva.gt50.org:4431/action/4Sh0y21HmQz1y6C/submit-as-bad
> Seguire il link qui sotto per metterlo in blocklist:
> https://esva.gt50.org:4431/action/4Sh0y21HmQz1y6C/blocklist
> 

-- 
INFORMATIVA In conformità al Reg.UE 2016/679, ai sensi dell'art. 13, Vi 
informiamo che il Titolare dei dati è GT50 SRL, via Giovanni Antonelli 
50 00197 Roma, p.iva/cf 10707081005.
Tutte le informazioni contenute in questo messaggio di posta elettronica 
ed i file ad esso allegati sono riservati e possono essere utilizzati 
esclusivamente dal destinatario specificato.
L'accesso all'e-mail e l'eventuale uso del suo contenuto da parte di un 
qualsiasi soggetto a ciò non autorizzato sono severamente proibiti. Nel 
caso in cui si riceva il messaggio per errore si prega di segnalarlo ed 
è assolutamente vietato usarlo, copiarlo o comunque divulgarlo mediante 
comunicazione e/o diffusione e si deve provvedere sia alla sua 
cancellazione sia alla distruzione di tutte le copie esistenti.