At 02:12 PM 4/23/2012, Martin Paljak wrote:
>On Mon, Apr 23, 2012 at 20:45, Michael StJohns <mstjohns@comc...> wrote:
>>>In practice the only common open source applet, MuscleApplet,
>> There's also "CoolKey" derived from Muscle as well as a few open versions of the PIV II applet.
>I'm aware of CoolKey. I'm not aware of any PIV II open source applets.
>Do you have pointers/links?
Let me see if I can find them... last time I looked was about a year ago.
>As CoolKey is derived from Muscle, it has mostly the same problems.
>>>from perfect for the on-card code, because:
>>>a) it is in practice proprietary
>> I'm not sure how you came to this conclusion. Â As far as I can tell, it uses no proprietary classes (and I'm not counting the GP and OP classes as proprietary) and I've been able to run it on at least 5 or 6 different cards. (I think its 4 different families including the old e-card stuff).
>Yes, it is open source and adheres to JavaCard standards and is
>usable(/portable) to different cards, even different javacard
>revisions, but the *interface* it implements is
>proprietary/legacy/non-standard, meaning that it is built 1:1 for
>*-muscle* only. Thus proprietary for what its worth.
OK - we have a slightly different view of what "proprietary" means in this instance. For me "proprietary" is "owned by an organization that may change the interfaces at any time, even if information about the information is other wise public" E.g. Microsoft and the various Windows APIs.
The Muscle API is public, well defined, and as near as I can tell, not claimed by anyone these days (except maybe David?). And hasn't changed in 10 years.
It is NOT an ISO 7816 standard - but given how much it costs to buy those standards, that may be a good thing.
PIV II is also not an ISO 7816 standard, it is publicly available, but is a proprietary standard (under my meaning) of the US Government (specifically NIST).
7816-15 is based on PKCS15 - a proprietary, but publicly available standard from RSA Labs, developed with community input.
>Muscle does not import OP/GP classes, thus it is "free" from that POV.
Amusingly enough, CoolKey does import OP classes.
>>>b) it is not really maintained
>> Its true there is no real formal maintenance in place for this, but as I recall, there is a public repository, and as recently as last year or so a few fixes we're placed there. Â It's probably more correct to say there is no one formally responsible for such maintenance.
>> Somewhat more annoying is the lack of a release cycle for the supporting C programs and drivers, especially with respect to Windows. Â Coolkey is somewhat supported on the Mac platform though.
>I only know that Coolkey gets mentioned by a) dogtag/redhat folks b)
>PIV/CAC folks where there is some host-side plugin under the same
>umbrella, which does PIV/CAC.
Right - there are three plug-ins for Muscle - the CoolKey plugin, the Muscle plugin and the PIV plugin. The Muscle framework API then talks to those and has things like PKCS11 layered upon it.
>IIRC all the muscle things were removed from Debian some time ago, if
>that is a sign of anything.
You mean the repository? Yes - it moved. I think Ludovic created the new repository.
>> And I do have a copy of the version 2 applet which was supposed to replace v1, but doesn't seem to have ever made it to that point.
>Interesting, what are the main differences?
Support for a bunch more algorithms mainly. I thought of starting from that base of code and re-writing the object support to incorporate things like the javacard object collection. Just haven't gotten around to it.
>>>c) unrelated to fact that it has code in OpenSC to support the card,
>>>it has no resemblance with IOS7816-4/8/15, which OpenSC is tailored
>>>towards. Which makes it an awkward target in OpenSC.
>> It is correct it is not an -8 or -15 emulation applet. Â It *is* a -4 applet. Â AIRC, at the time MuscleApplet was written, -8 really hadn't gotten enough traction and -15 wasn't even a gleam in the drafter's eye.
>-15 as a data format is maybe really not relevant here, but -8 dates
>back to 1995, according to Wikipedia. I don't know what is supposed to
>define 7816-4 support, but IMHO claiming that Muscle supports 7816-4
>is as good as claiming that telnet supports HTTP because they both do
>TCP/IP. But again, 7816-X is a nice ambiguous pile of things, which
>nicely fits the "three blind men and elephant" story :)
No - -4 is the APDU model which is pretty much the basis for everything else we build. -8 seems to date from 99 as a published document. Cards supporting -8 didn't really start arriving until around 2004 or so (when the version 2 document was created). -15 wasn't published for the first time until 2004 and cards supporting it didn't really make it out to the retail chain until 2008 or so.
You could go back and re-write muscle to -8 specs, in fact as additional functions in the applet without deprecating the others, but to blunt - the -8 functions are clumsy to use.
>>>Having a standards-compliant open source applet would be a huge
>>>benefit, both for the ecosystem as well as OpenSC. But developing this
>>>requires quite a lot of different resources (time, money, motivation
>>>etc) and to date noone has shown interest in this.
>> Maybe - but depending on your needs, it may just be simpler to buy -8 and -15 compliant cards.
>In the context of JavaCards.
>There are some notes on Muscle in OpenSC wiki, which might be of
>interest to anyone interested in either OSS JavaCard applets or Muscle
Nice page and matches most of the observations I've got WRT to muscle and its age.