Timothy J. Miller a écrit : > There is no getting around the enrollment trust problem. Most > sensible smartcard and PKI deployments handle this via an enrollment > ceremony that involves a face-to-face component. As for enrollment trust problem, IMHO, using the secure channel is good alternative to the face-to-face . >From the technical point of view, a distant enrollment with secure channel can be more secure then face-to-face enrollment without secure channel .
Regards, Viktor. > > -- TIm > > On Jul 2, 2007, at 1:59 PM, Alon Bar-Lev wrote: > >> On 7/2/07, Jim Rees <[EMAIL PROTECTED]> wrote: >>> We do something like this to translate kerberos tickets into >>> cert/key usable >>> from pkcs11. But it only makes sense if you have some way to >>> convince the >>> CA that it should sign the keypair and issue a cert. In our case >>> that's >>> kerberos. Otherwise, how can anyone trust the cert? >> >> But Kerberos is weaker than PKI in term of authentication. >> You can use PKI in order to authenticate to Kerberos. >> So you have static certificate for user and dynamic authorization >> using kerberos. >> >> Alon. >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel > > ------------------------------------------------------------------------ > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
