2) You might want to take a look at ISO/IEC 7816-13 which is GlobalPlatform using secure messaging rather than secure channels. As an international standard rather than a proprietary system it may turn out to be more germane to managing FIPS 201 cards.
Do I smell one of those those maxist, dialect[r]ical materalism moments, here? :-)
Channels vs messaging. SSL vs SET. DARPA vs NSA. IETF vs ITU-T/OSI. Hmmm.
Cheers, Scott -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Williams Sent: Tuesday, December 13, 2005 11:09 AM To: [email protected] Subject: RE: [Muscle] GlobalPlatform R-MAC >From: Karsten Ohme <[EMAIL PROTECTED]> >Reply-To: MUSCLE <[email protected]> >To: MUSCLE <[email protected]> >Subject: [Muscle] GlobalPlatform R-MAC >Date: Tue, 13 Dec 2005 14:02:00 +0100 > >Hello, > >The secure channel protocol 02 of the GlobalPlatform specification >allows to use a R-Mac (response MAC). In the specification is mentioned >that the R-MAC is applied to all the subsequent command/response >messages. Is this really true? Or is the R-MAC only applied to real >command APDUs containing data and not to protocol APDUs like Get >Response or on errors like Wrong Length (6C,61,...). > >Are there any cards which support R-MAC? Yes. FIPS 201 essentially requires an R-MAC capable SCP - for remote management of the GCs, as the content silos are instantiated - and rented off to other agencies/businesses. I have not personally encountered SCP 02 et al. over T0, in an off the shelf card. You might want to investigate SCP.n proposals. Our IBM colleagues may be able to faciliate controlled R&D access to GP.next drafts. In 7816 terms, secure messaging and logical channel support is applicable to all APDU transfers. A polling response is just a response. Its more fun to question whether the T0 procedure bytes and time request bytes (over USB relays in particular) are secured by the logical channel, and its binding to secure messaging. One assumes not. One assumes that the combination of T0 and the more advanced SCPs are really not "future-compatible". >Thanks, Karsten >_______________________________________________ >Muscle mailing list >[email protected] >http://lists.drizzle.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
