Re: [OCF] X509 Certificates

Sylvain Ferey Fri, 29 Dec 2000 14:05:26 -0800
Ramkumar,
Ken, Mohamed,

a certificate is more or less another piece of signed data; the way you 
generate it is quite the same than a multipart signed mail is built; so 
Mohamed & Ken was right you want to use a smartcard to sign the digest info 
that result in a hash of your mail - with your private key - and your CA 
may want to use a smartcard to sign a (kind of digest) of the certificate 
it delivers to you.

during these similar process the card is used for three different tasks:
- first to generate a key pair,
- then to sign a certificate request built up externally to the card,
- and after certificate storage to pad & sign digest info (or hash then pad 
then sign).

btw, i wander if, from security point of view, a 160-bit hash (SHA1, 
RIPE-MD160) signed with a 1024-bit key is more or less robust than a 
128-bit hash (MD5, RIPE-MD128) signed with a 2048 bit ... or in other word 
is it easier to factorize a key or to built a plain message given a 
specific hash ... someone can brief me ?

happy new year,
Sylvain.


At 11:35 29/12/00 -0500, Ken Goldman wrote:

>Basically, I think that Mohammed is correct.
>
>Typically, the card generates a public/private key pair.  It holds
>the private key inside the card, and exports the public key.  The
>public key is put into a certificate, which is signed by the
>certificate authority (CA), and then loaded back on the card.
>
>In theory, I suppose you could use a smart card as a CA signer.
>A programmable card like a Java card could build the X509
>certificate, but I'm not sure it buys any greater security.
>
> > Date: Fri, 29 Dec 2000 16:18:44 +0530
> > From: "Mohammed SADIQ" <[EMAIL PROTECTED]>
> >
> > I don't think any card has the feature you described. You have to
> > format/prepare the certificate outside the card and store the result
> > in the card.
> >
> > >From: Ramkumar.R [mailto:[EMAIL PROTECTED]]
> > >Sent: Friday, December 29, 2000 2:39 PM
> > >
> > >How to generate digital certificates of X509 v3 standard
> > >using a smartcard. In OCF APIs is there any methods for this.
> > >
> > >Which are the cards that support the above?
>
>--
>Ken Goldman   [EMAIL PROTECTED]   914-784-7646



---
> Visit the OpenCard web site at http://www.opencard.org/ for more
> information on OpenCard---binaries, source code, documents.
> This list is being archived at http://www.opencard.org/archive/opencard/

! To unsubscribe from the [EMAIL PROTECTED] mailing list send an email
! to
!                           [EMAIL PROTECTED]
! containing the word
!                           unsubscribe 
! in the body.
Re: [OCF] X509 Certificates

Reply via email to
