will it be open sourced like the directory server? will there be at least a download for evaluation?
what do you need from the smart card side? I'm one of the opensc and openct developers, and we support a lot of commercial available smart cards and national id cards in our pkcs#11 module. in contrast yous software supports only a single card according to the documentation.
what about any place for discussion? last time I checked there was no mailing list or anything, and on the directory server list I was told, redhat wasn't sure what to do with the smart cards and pki parts.
maybe join opensc-devel mailing list and discuss how we can test and improve interoperability and benefit from each other?
Is there any open source in memory database? Prefereable fast and stable?
I find it silly if people run benchmarks with real database software, but in setups where all the data would fit into the ram of the server - even several times. In memory databases could be a lot faster for those situations.
Also it would be nice to see some setups that are realistic, i.e. at least the data doesn't fit into ram, maybe even setups where the indices are too big to be kept in ram completely all the time. Would be interesting which databases still work acceptable in such situations.
Example where I have that: backup servers. The "file" table with all files backed up and still kept somewhere on tape is about 10-15gb, and of course the server is 32bit, dual xeon, and only 4 gb of ram.
old problem. I started four years ago with the goal to get rid of all those passwords, and instead use a nice usb crypto token for authentication.
my suggested token is a axalto/schlumberger cryptoflex 32k with egate token adapter (so you don't need a smart card reader, only a usb port). I don't work for them, I don't get any benefit from this suggestion. but they are cheap, fast, latest technology (important if you consider timing attacks, power analysis attacks and all that stuff), and most important: well documented, well supported, and easy to buy (www.scmegastore.com). most other companies hide their details (even the user manual requires an NDA), and buy is sometimes difficult (because they want to sell software and services, not only the plain token).
openct: smart card reader opensc: smart card library plus pkcs#11 module openssh: recompile --with-opensc mozilla: simply load the pkcs#11 module. libp11: easier to use than the standard pkcs#11 interface. engine_pkcs11: engine so you can use openssl with your smart card. windows: "smart card bundle" our binary installer bundle with openssl, opensc, putty, libp11 and engine_pkcs11. pam_p11: login with your smart card (simple, local module). pam_pkcs11_ login with your smart card (full features, signature checks, ca chain checks, crl checks, ldap, kerberors, etc.)
all of that: www.opensc.org
disclaimor: this is shameless advertising for my open source projects.
Hi, are there any plans to finish and activate sleeping areas? I noticed several places that look like they should be used, but all persons are dull, buildings are empty or artificially closed and there are even tunnels ending in nowhere. one example is the high plateau near ironforge (you see it when flying to menethiel). or would such changes disrupt the world too much?
think email encryption. you keys are on your device and never leave it. also you have your favorite mail client, spam filter, email encryption software etc. all with you. you won't need a laptop and still can go to an internet cafe, use their computers, use encryption, and all that with relative low security risks (ok, the host could most likely still capture keyboard input, vga output and network packets, but that is still an improvement).
software suggestion for software front page
on
Atom 1.0 vs RSS 2.0
·
· Score: 1
opensc.org has a front page with mostly news entries. I'd like to move from the manualy written php code to some software, where we can publish announcements on new versions, and atom and/or rss feed would be nice. any suggestion?
Is there any nat-pt solution for linux? I don't think anyone wants go through the pain of double stacks. So to run a ipv6 only network, and connect it with both v4 and v6, you would need a v6tov4 nat device (nat-pt). I haven't seen anyone offering that, at least no linux based solution (some *bsd might be able to do that, not sure).
1024bit isn't state of the art. get a cryptoflex 32k card with plug and an egate token connector (www.scmegastore.com, 150 US$ for five), install openct and opensc and use it. has 2048 bit rsa.
alternative: g&d starkey 100 (driver comming soon), rainbow ikey 3000, aladdin etoken pro (only 1024 bit rsa). avoid hardware that is hard to buy (i.e. no webshop where you can buy one without bypassing people selling "solution"), and avoid cards/tokens without public documentation of the smart card operating systems (no documentation -> no quality isn't such a bad guess).
If I look into my windows 2000 preview guide, it still lists a lot of features win2k has, but linux still has not or only a much weaker version. Still I never saw any advertisement by microsoft mentioning these differences in features. Is it that nobody cares about them? Or could the additional complexity associated with those features (think of all the replications on domains and forrests for exmaple) make people even more aware of the hidden cost they have, even if not used at all?
selling online video will work a lot better if people had 10-50 mbit download capabilities. in asia where many people have that, the companies offer video on demand, sell the latest dvd show or tv streams etc.
so in europe and north america companies are more likely to wait for the new technology to arrive, as with the current 1,2 or 3 mbit download "broadband" in most countries, they don't see a big market.
but here is the dilema: the main thing today driving the market in offering faster internet connections for the normal user is peer2peer networks with warez content.
so companies hate it, as they often think, it costs them loss in form of revenue not happening, but in long term view it is driving technology towards a new market where they can sell and earn new profits.
private ftp servers with a few hundered users - there are still lots of them with lots of warez. but they can be found, and it easier who has access to them, and all the warez is in one place, so you can sue each user to a huge amount.
now with bittorrent, it is quite easy to setup a private webserver with a forum, torrent files, and a tracker rejecting unknown users. that does not create much traffic, as most data flows between the members directly. if the site is found and the server is taken in: it only has.torrent files. those alone are not illegal. also downloading torrent files is not illegal. and I hope nobody is stupid enough to have tracker log files, so there is not very much evidence for legal battles.
even more important is that with bittorrent a hundret people with everyone only donating small resources (dsl line, one central server) can have a huge impact.
look at the numbers: the movie industrie has never made more profit. now is their time to get rich. so the last thing they want to do is experiment with something, that might as well cost them their profits. now is the time to protect that cash flow, and that means spending some percent of the revenue on legal issues.
also don't forget most people have "broadband" meaning 1,2 or 3 mbit. that is good enough for a few trailers and mp3 downloads, but is not very convenient for the average users. once 10 to 50 mbit is what the average user has, then they can sell video content directly.
also note the format wars are still happening, even if more and more wmv looks like the winner. (or xvid by popularity contest among normal people. or dvix? you see, it's not decided...) it is normal for companies to wait till those things are settled.
and one more issue: hd dvd or blue ray? dvd braugt in lots of money by re-selling old content. let's do that again with a new format in a few year! most companies would love to. so they have a more important development to focus on.
what about anonymous trackers? run by people who do not look at the content of the file that is shared. bittorrent allowes to do that (nobody does, as trackers generate huge amounts of traffic, but it is possible).
but note with most filesharing tools there are also these steps:
2.1 search that user for more copyrighted material
2.2 add it all up to make any lawsuite real expensive
What are you going to do with bittorrent? Most people seed only a few files, possibly on different trackers. There is no easy reverse lookup to get the filename from the binary content.
I think smart cards are the right way. Get the normal cryptoflex 32k egate card with a token connector, install openct and opensc (both http://www.opensc.org/), and use the opensc pam module for login, openssh for remote authentication, mozilla or firebird with the opensc pkcs#11 module for email signing and decryption, the opensc tools for initializing the card and diagnostics, openssl with the pkcs11 engine to create signed certificates, and so on.
you don't need microsoft to do that. opensc is available for linux and friends, mac os X and windows, and a CSP for windows is under development.
opensc supports cryptoflex, cyberflex, gemplus pk, siemens card os, telesec tcos, micardo, setec, ibm jcop, oberthur and openpgp smart cards. also the finnish, swedish, estonian and italian id cards are supported with full source code, the spanish linux user group has a special version with support for the spanish id card using a binary only plugin.
also note that opensc does not use a propriotory on card format (like most commercial alternatives), but implements the pkcs#15 standard.
disclosure: I'm one of the developers, doing some advertisement here:-)
if you work at intermec, can you tell use where we can buy one of the rfid pc cards and a few tags? maybe at an affordable rate? and is there a linux driver available, and/or enough documentation to write one?
its only 80 machines, but im doing desktop for 5000 students here. the distribution does not matter much, since realy want your own install mechanism for roll outs.
the easiest, pre-packaged way is useing drive image, a tool designed for yust that. if there is also windows on these machines, you realy want this.
but if its only linux you can create your own auto install process.
many networkc cards like the 3c905C have a network boot rom, but you can also work with a boot disk.
the install mechanism can be very simple: boot a kernel with the necessary drivers, get ip via dhcp, filesystem via nfs-root, partition the hard disk, create filesystems + swap, put your "image" (can be a tar ball) of the software you want on the hard disk, change some things like hostname, install the bootloader, done.
manageing hostnames could be done via a small cleint/server system: some server gives out the hostnames, the clients aquires one from this cental resource. its realy easy to do this with a cgi script and GET or wget, its scriptable.
if your hardware is not all the same, you can detect some stuff by parsing the kernel log from the boot process. lspci (and some grep commands) is a big help with pci cards, e.g. vga.
building a base system to install on all machines is "easy": install your favorite distributions and the software you want, and tune everything till you are sattisfied. then build a tar.gz of everythign and put it on the server. grab the partition table with sfdisk -d (sfdisk can use this output to create the same partition table on a different system), and you are fine.
you could also install some hooks in the image, that will run at the next boot, and delete themself. these hooks can fire up X11 and ask stuff like hostname, dhcp/manual ip, and all this. gtk/perl/glade is a big help, or tcl/tk or whatever you use.
a roll out, a mere installation of everything is very very easy. the mechanisms are widespread known for more than 10 years, and they do not differ very much from a windows rollout.
but realy hard is the maintaince. software updates on linux dont go that easy. you cant use the distribution mechanisms, sind the might fuck up (like some debian packages asking for [ENTER]). i found a big friend in rsync. so, the software update/installation side needs some work, most important if you have lots of different combinations of software on the machines.
its getting harder with the hardware: after some time hardware will fail, and people will replace it with different hardware. all the distriibutions know how to do autodetection for installation, but there is no tool to do it everytime the machine boots. you dont want someone to edit some config file, because a serial mouse was replaced with a ps2 one.
but the hardest part is a good configuration for lots of users, if they have different backgrounds. sure you can use skell like mechanisms, but face it: they suck, they are very ugly hacks. but lots of applications dont have good config files in/etc, and somethings like a "group config file" is not known to most applications.
it would be realy nice to have some windows features for people who want them, like hardware detection at boot time, or a "run this the next time linux boots, but only once" mechanism, or some automatic configuration of IPsec (like the windows "add to domain"), and lots of other stuff.
i looked at bit at some windows software, where the user can pick the software he wants, and gets it installed. if there are updates, they are listed, and installed when he wants them. admins can create and configure these software packages and updates and can put a lot of magic in it. and it all works, without the user having (root|administrator) rights. linux could need some of this stuff for big desktop users.
The trading card game was still a nice game (if all player agreed to buy the same amount of cards). and the cards and drawings were very cool.
i hope there will be localized versions again - i love the german inwo edition with german cards like "zuvieldienstliestende" or "stammtischpolitiker".
> hat the GPL cannot be used with any non-GPL libraries
the exact sitation is : if you want to mix GPl with non-GPL: - the other licence must allow everything the GPL allowes - the other licence may only restrict stuff also restricted by the GPL. more exact: may not have clauses not found in the GPL. thus, it's possible to mix GPL'ed software with much other stuff. as long as at least as much is allowed, and not more is restricted. example licences, where this is true: LGPL, BSD, XFREE, Apache, Artistic
examples of licences with additional clauses, but still free software: MPL and QPL
please let the "GPL only with GPL" syndrom die. GPL with LGPL, GPL with BSD and such stuff is very common and a good counter example. or even better: read the licence. i always wonder how many people didn't...
Slashdot Mirror
if apple wants to create table pc style laptops, maybe palm has the right amount of IP and
technology for that?
will it be open sourced like the directory server?
will there be at least a download for evaluation?
what do you need from the smart card side? I'm one
of the opensc and openct developers, and we support
a lot of commercial available smart cards and national
id cards in our pkcs#11 module. in contrast yous software supports only a single card according to the documentation.
what about any place for discussion? last time I checked
there was no mailing list or anything, and on the directory
server list I was told, redhat wasn't sure what to do with
the smart cards and pki parts.
maybe join opensc-devel mailing list and discuss how we can
test and improve interoperability and benefit from each other?
Is there any open source in memory database?
Prefereable fast and stable?
I find it silly if people run benchmarks with real database software,
but in setups where all the data would fit into the ram of the server -
even several times. In memory databases could be a lot faster for those
situations.
Also it would be nice to see some setups that are realistic, i.e. at least
the data doesn't fit into ram, maybe even setups where the indices are too
big to be kept in ram completely all the time. Would be interesting which
databases still work acceptable in such situations.
Example where I have that: backup servers.
The "file" table with all files backed up and still kept
somewhere on tape is about 10-15gb, and of course the server
is 32bit, dual xeon, and only 4 gb of ram.
wow, two links that have nothing to do with the music.
was this item submitted by some random topic generator?
old problem. I started four years ago with the goal to get rid of
all those passwords, and instead use a nice usb crypto token for
authentication.
my suggested token is a axalto/schlumberger cryptoflex 32k with
egate token adapter (so you don't need a smart card reader,
only a usb port). I don't work for them, I don't get any benefit
from this suggestion. but they are cheap, fast, latest technology
(important if you consider timing attacks, power analysis attacks
and all that stuff), and most important: well documented, well
supported, and easy to buy (www.scmegastore.com). most other
companies hide their details (even the user manual requires
an NDA), and buy is sometimes difficult (because they want
to sell software and services, not only the plain token).
openct: smart card reader
opensc: smart card library plus pkcs#11 module
openssh: recompile --with-opensc
mozilla: simply load the pkcs#11 module.
libp11: easier to use than the standard pkcs#11 interface.
engine_pkcs11: engine so you can use openssl with your smart card.
windows: "smart card bundle" our binary installer bundle with
openssl, opensc, putty, libp11 and engine_pkcs11.
pam_p11: login with your smart card (simple, local module).
pam_pkcs11_ login with your smart card (full features, signature checks,
ca chain checks, crl checks, ldap, kerberors, etc.)
all of that: www.opensc.org
disclaimor: this is shameless advertising for my open source projects.
Hi, are there any plans to finish and activate sleeping areas? I noticed several places that look like they should be used, but all persons are dull, buildings are empty or artificially closed and there are even tunnels ending in nowhere. one example is the high plateau near ironforge (you see it when flying to menethiel).
or would such changes disrupt the world too much?
think email encryption. you keys are on your device and never leave it. also you have your favorite mail client, spam filter, email encryption software etc. all with you. you won't need a laptop and still can go to an internet cafe, use their computers, use encryption, and all that with relative low security risks (ok, the host could most likely still capture keyboard input, vga output and network packets, but that is still an improvement).
opensc.org has a front page with mostly news entries. I'd like to move from the manualy written php code to some software, where we
can publish announcements on new versions, and atom and/or rss feed would be nice. any suggestion?
Is there any nat-pt solution for linux?
I don't think anyone wants go through the
pain of double stacks. So to run a ipv6
only network, and connect it with both
v4 and v6, you would need a v6tov4 nat
device (nat-pt). I haven't seen anyone
offering that, at least no linux based solution
(some *bsd might be able to do that, not sure).
If they switch CPUs anyway, I hope they move to
x86_64 entirely, and not to i686/32 bit intel
systems. But I haven't read anything about this issue.
1024bit isn't state of the art. get a cryptoflex 32k card with plug and an egate token connector (www.scmegastore.com, 150 US$ for five), install openct and opensc and use it. has 2048 bit rsa.
alternative: g&d starkey 100 (driver comming soon), rainbow ikey 3000, aladdin etoken pro (only 1024 bit rsa). avoid hardware that is hard
to buy (i.e. no webshop where you can buy one without bypassing people selling "solution"), and avoid cards/tokens without public documentation of the smart card operating systems (no documentation -> no quality isn't such a bad guess).
If I look into my windows 2000 preview guide,
it still lists a lot of features win2k has,
but linux still has not or only a much weaker
version. Still I never saw any advertisement
by microsoft mentioning these differences in
features. Is it that nobody cares about them?
Or could the additional complexity associated
with those features (think of all the replications on domains and forrests for exmaple) make people even more aware of the
hidden cost they have, even if not used at all?
selling online video will work a lot better
if people had 10-50 mbit download capabilities.
in asia where many people have that, the companies offer video on demand, sell the latest dvd show or tv streams etc.
so in europe and north america companies are more likely to wait for the new technology to arrive, as with the current 1,2 or 3 mbit download "broadband" in most countries, they don't see a big market.
but here is the dilema: the main thing today driving the market in offering faster internet connections for the normal user is peer2peer
networks with warez content.
so companies hate it, as they often think, it costs them loss in form of revenue not happening, but in long term view it is driving technology towards a new market where they can sell and earn new profits.
private ftp servers with a few hundered users - there are still lots of them with lots of warez.
.torrent files. those alone are not illegal.
but they can be found, and it easier who has access to them, and all the warez is in one place, so you can sue each user to a huge amount.
now with bittorrent, it is quite easy to setup a private webserver with a forum, torrent files, and a tracker rejecting unknown users. that does not create much traffic, as most data flows between the members directly. if the site is found and the server is taken in: it only has
also downloading torrent files is not illegal.
and I hope nobody is stupid enough to have tracker log files, so there is not very much evidence for legal battles.
even more important is that with bittorrent a
hundret people with everyone only donating small resources (dsl line, one central server) can have a huge impact.
they don't see a business case.
look at the numbers: the movie industrie has
never made more profit. now is their time to get rich. so the last thing they want to do is experiment with something, that might as well cost them their profits. now is the time to protect that cash flow, and that means spending some percent of the revenue on legal issues.
also don't forget most people have "broadband"
meaning 1,2 or 3 mbit. that is good enough for a few trailers and mp3 downloads, but is not very convenient for the average users. once 10 to 50 mbit is what the average user has, then they can sell video content directly.
also note the format wars are still happening, even if more and more wmv looks like the winner.
(or xvid by popularity contest among normal people. or dvix? you see, it's not decided...)
it is normal for companies to wait till those things are settled.
and one more issue: hd dvd or blue ray? dvd braugt in lots of money by re-selling old content. let's do that again with a new format in a few year! most companies would love to. so they have a more important development to focus on.
what about anonymous trackers? run by people
who do not look at the content of the file
that is shared. bittorrent allowes to do that
(nobody does, as trackers generate huge amounts
of traffic, but it is possible).
but note with most filesharing tools there are also these steps:
2.1 search that user for more copyrighted material
2.2 add it all up to make any lawsuite real expensive
What are you going to do with bittorrent?
Most people seed only a few files, possibly on different trackers. There is no easy reverse lookup to get the filename from the binary content.
I think smart cards are the right way. Get the normal cryptoflex 32k egate card with a token connector, install openct and opensc (both http://www.opensc.org/), and use the opensc pam module for login, openssh for remote authentication, mozilla or firebird with the opensc pkcs#11 module for email signing and decryption, the opensc tools for initializing the card and diagnostics, openssl with the pkcs11 engine to create signed certificates, and so on.
:-)
you don't need microsoft to do that. opensc is available for linux and friends, mac os X and windows, and a CSP for windows is under development.
opensc supports cryptoflex, cyberflex, gemplus pk, siemens card os, telesec tcos, micardo, setec, ibm jcop, oberthur and openpgp smart cards. also the finnish, swedish, estonian and italian id cards are supported with full source code, the spanish linux user group has a special version with support for the spanish id card using a binary only plugin.
also note that opensc does not use a propriotory on card format (like most commercial alternatives), but implements the pkcs#15 standard.
disclosure: I'm one of the developers, doing some advertisement here
if you work at intermec, can you tell use
where we can buy one of the rfid pc cards
and a few tags? maybe at an affordable rate?
and is there a linux driver available, and/or
enough documentation to write one?
woody is already half a year in work,
please freeze it now, so we can get it
stable for april (optimistic: januar).
a new instakller is sure a nice thing, but
waiting for it to appear isnt a good thing.
better do some releases without it, than do
no release at all.
It was possible for debian to include the kde libs
and other stuff since kde 1.0 beta 3.
for the libraries, there was never ever any issue.
so, why didnt debian include kde ?
and why should they do now ?
i have no reason to think, they ever will.
its only 80 machines, but im doing desktop
/etc, and somethings like a "group config file" is not known to most applications.
for 5000 students here. the distribution does not matter much, since realy want your own install
mechanism for roll outs.
the easiest, pre-packaged way is useing drive
image, a tool designed for yust that. if there is
also windows on these machines, you realy want
this.
but if its only linux you can create your own
auto install process.
many networkc cards like the 3c905C have a network boot rom, but you can also work with a boot disk.
the install mechanism can be very simple:
boot a kernel with the necessary drivers, get ip via dhcp, filesystem via nfs-root, partition the hard disk, create filesystems + swap, put your "image" (can be a tar ball) of the software you want on the hard disk, change some things like hostname, install the bootloader, done.
manageing hostnames could be done via a small
cleint/server system: some server gives out the hostnames, the clients aquires one from this cental resource. its realy easy to do this with
a cgi script and GET or wget, its scriptable.
if your hardware is not all the same, you can detect some stuff by parsing the kernel log
from the boot process. lspci (and some grep commands) is a big help with pci cards, e.g. vga.
building a base system to install on all machines
is "easy": install your favorite distributions
and the software you want, and tune everything till you are sattisfied. then build a tar.gz of everythign and put it on the server. grab the partition table with sfdisk -d (sfdisk can use this output to create the same partition table on a different system), and you are fine.
you could also install some hooks in the image,
that will run at the next boot, and delete themself. these hooks can fire up X11 and ask
stuff like hostname, dhcp/manual ip, and all this.
gtk/perl/glade is a big help, or tcl/tk or whatever you use.
a roll out, a mere installation of everything is very very easy. the mechanisms are widespread known for more than 10 years, and they do not differ very much from a windows rollout.
but realy hard is the maintaince. software updates on linux dont go that easy. you cant use the distribution mechanisms, sind the might fuck up
(like some debian packages asking for [ENTER]).
i found a big friend in rsync. so, the software update/installation side needs some work, most important if you have lots of different combinations of software on the machines.
its getting harder with the hardware: after some time hardware will fail, and people will replace it with different hardware. all the distriibutions know how to do autodetection for installation, but there is no tool to do it everytime the machine boots. you dont want someone to edit some config file, because a serial mouse was replaced with a
ps2 one.
but the hardest part is a good configuration for lots of users, if they have different backgrounds.
sure you can use skell like mechanisms, but face it: they suck, they are very ugly hacks. but lots of applications dont have good config files in
it would be realy nice to have some windows features for people who want them, like hardware detection at boot time, or a "run this the next time linux boots, but only once" mechanism,
or some automatic configuration of IPsec
(like the windows "add to domain"), and lots
of other stuff.
i looked at bit at some windows software, where the user can pick the software he wants, and gets
it installed. if there are updates, they are listed, and installed when he wants them. admins
can create and configure these software packages
and updates and can put a lot of magic in it.
and it all works, without the user having
(root|administrator) rights. linux could need some of this stuff for big desktop users.
The trading card game was still a nice game
(if all player agreed to buy the same amount of
cards). and the cards and drawings were very
cool.
i hope there will be localized versions again -
i love the german inwo edition with german cards
like "zuvieldienstliestende" or "stammtischpolitiker".
> hat the GPL cannot be used with any non-GPL libraries
...
the exact sitation is : if you want to mix GPl with non-GPL:
- the other licence must allow everything the GPL allowes
- the other licence may only restrict stuff also restricted by the GPL. more exact: may not have clauses not found in the GPL.
thus, it's possible to mix GPL'ed software with much other stuff. as long as at least as much is allowed, and not more is restricted.
example licences, where this is true:
LGPL, BSD, XFREE, Apache, Artistic
examples of licences with additional clauses, but still free software: MPL and QPL
please let the "GPL only with GPL" syndrom die.
GPL with LGPL, GPL with BSD and such stuff is very common and a good counter example. or even better: read the licence. i always wonder how many people didn't
Why does the name look like COBOL without an B ?
Maybe "we droped the B for Y2K ?" (and added
the Microsoft Marketing Machine) ?