From 838da79425958a0d09f2e8a8e778fc914410aa42 Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Thu, 2 Dec 2021 20:15:49 +0200
Subject: [PATCH] fineid/README.md: write my notes more cleanly

Resolves: Mikaela/shell-things#7
---
 fineid/README.md | 56 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 fineid/README.md

diff --git a/fineid/README.md b/fineid/README.md
new file mode 100644
index 0000000..0ba08f1
--- /dev/null
+++ b/fineid/README.md
@@ -0,0 +1,56 @@
+# Finnish Electronic Identity
+
+Finnish identity cards have been electronic for ages and as I tend to forget
+how to use it on Linux again, here are my notes.
+
+* Official application: https://dvv.fi/en/card-reader-software
+  * Fedora/rpm is hidden under "All versions", "Linux versions"
+* DVV certificate newsletter: https://uutiskirjeet.dvv.fi/uutiset/varmennepalvelut.html
+
+## Requirements for everything
+
+PCSDd must be running, it's found in package `pcscd` on Debian and likely
+`pcsc-lite` on Fedora.
+
+```bash
+sudo systemctl enable pcscd --now
+```
+
+## Chromium
+
+Should work as long as the `DigiSignApplication` from above was running before
+the browser was started.
+
+## Firefox and Thunderbird
+
+In Settings, Advanced, Security devices load the module from (DVV app) `/usr/lib64/libcryptoki.so` or (OpenSC):
+
+* Debian: `/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so`
+  * Package: `opensc-pkcs11`
+* Fedora: `/usr/lib64/onepin-opensc-pkcs11.so`
+  * Package: `opensc`
+
+`onepin` is a workaround to not ask for PIN2 which is only used for legal agreements,
+email signing also uses PIN1.
+
+## Root certificates
+
+While I don't think the user necessarily needs them, my notes mention `DVV Gov. Root CA`.
+
+* https://dvv.fi/en/ca-certificates
+
+## Testing
+
+* https://dvv.fineid.fi/en/authentication
+
+## FINEID as SSH key
+
+0. I would start by `ssh-add -D` to remove other keys from the ssh-agent.
+1. Add the key to the agent
+  * Debian: `ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so`
+  * Fedora: `ssh-add -s /usr/lib64/opensc-pkcs11.so`
+2. Export the public key(s) by `ssh-add -L`
+3. Naturally put them into `~/.ssh/authorized_keys`, but SSH should detect
+   them automatically. The file could also be mentioned in `ssh_config`
+
+Via: https://www.linux.fi/wiki/HST#Ssh_2