The following is the most recent [very preliminary]
addition to: http://webpki.org/keygen2.pdf
Since I couldn't find any other key-provisioning standard dealing
with PIN policies this may not be perfect but it is a least a try.
Comments are very welcome!
The following is sent down to the client by the issuer:
<KeyGenerationRequest RequestID="I.535100037738"
ServerTime="2007-09-01T21:03:24Z"
SubmitURL="https://ca.example.com/keygenres";
xmlns="http://xmlns.webpki.org/keygen2/alpha/20070901";>
// Request a key without PIN protection
<RequestedKey ID="Key.1" KeyUsage="encryption">
<KeyAlgorithmData>
<RSA KeySize="2048"/>
</KeyAlgorithmData>
</RequestedKey>
// Request a set of keys with PIN protection
// The specified policy disallows 11122 but accepts 11223
// 654321 would not be accepted either (sequence)
<PINProtection Type="numeric" MinLength="5" MaxLength="8"
PatternRestrictions="three-in-a-row sequences">
// The next element is optional and is a way of grouping PINs
// so that the user either must specify a single PIN for a set of
// keys or one unique PIN per key.
<PINGroupProtection Shared="true">
<RequestedKey ID="Key.2" KeyUsage="signature">
<KeyAlgorithmData>
<RSA KeySize="2048"/>
</KeyAlgorithmData>
</RequestedKey>
<RequestedKey ID="Key.3" KeyUsage="authentication">
<KeyAlgorithmData>
<RSA KeySize="2048"/>
</KeyAlgorithmData>
</RequestedKey>
</PINGroupProtection>
</PINProtection>
</KeyGenerationRequest>
A.R.
_______________________________________________
Developer mailing list
[email protected]
https://www.openoces.org/mailman/listinfo/developer
