<div dir="ltr">Thank you Evan, Donncha,<div><br></div><div>Regarding 1024-bit RSA support, take a look at <a href="http://www.fi.muni.cz/~xsvenda/jcsupport.html">http://www.fi.muni.cz/~xsvenda/jcsupport.html</a> - almost all JavaCard cards support that. </div><div><br></div><div>I'm a Java developer but it looks like I'm going to have to switch to (and learn) Python for this since almost all Tor utilities appear to only be maintained in Python (and I don't feel like reinventing the wheel in Java). We'll see...</div><div><br></div><div>Thanks Evan for the .onion links, I'll take a look. I'm still collecting data, testing hardware, etc. BTW, one of the cheapest options for this is <a href="http://www.ftsafe.com/product/epass/eJavaToken">http://www.ftsafe.com/product/epass/eJavaToken</a> - $12 at <a href="http://javacardos.com/store/smartcard_eJavaToken.php">http://javacardos.com/store/smartcard_eJavaToken.php</a> . Unfortunately it has a bug that prevents OpenPGP from running (something to do with signature padding, I didn't look much into it). My plan is to write a very small JavaCard-based applet to load onto the card - that only does RSA key generation and signing, nothing else. Easy to write and easy to audit.</div><div><br></div><div>Thanks again,</div><div>Razvan</div><div><br></div><div>--</div><div>Razvan Dragomirescu</div><div>Chief Technology Officer</div><div>Cayenne Graphics SRL</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 23, 2016 at 11:26 PM, Evan Margin <span dir="ltr"><<a href="mailto:twim@riseup.net" target="_blank">twim@riseup.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Donncha!<br>
<br>
Donncha Ó Cearbhaill:<br>
<span class="">> However his code was integrating with a smartcard at a very low<br>
> level by sending AT commands manually. I don't think that is the<br>
> best approach for compatibility.<br>
><br>
> I think a better way would be to interface with the tokens via the<br>
> PKCS#11 protocol. The majority of smartcards and HSMs implement this<br>
> standard and there are compatible implementations available for most<br>
> operating systems. The Python pykcs11 module should be a helpful<br>
> start [1].<br>
<br>
</span>Yeah, interfacing smartcard directly or via GnuPG scdaemon is not the<br>
best approach. But PKCS#11 in even worse. Much much worse. This standard<br>
is so huge that noone can implement it right. It raises enterance<br>
threshold so high that it will be used only by overproprietary entities.<br>
OpenPGP Card spec is pretty small so that everyone can write code within<br>
an hour and start to interface with a card. So did I. At least I know<br>
what's going on under the hood and these transparency and simplicity<br>
makes this setup more secure.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Ivan Markin<br>
_______________________________________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev</a><br>
</div></div></blockquote></div><br></div>