On Mar 27, 2008, at 8:50 AM, Marc W. Abel wrote: > ------------------------------------------------------------ > From the FAQ at http://www.opensc-project.org/faq.html > > "Can I store my ssh private key on a smart card? > > "Most people prefer to use a smart card with a key that was > generated on > the card and cannot ever leave it. In fact everyone seems to do > that. So > while it might be technically possible to convert a private key in ssh > format into pem format and then store it on a smart card, until now no > one wrote such a code, so you can't. If you really need it, please ask > on the mailing list...." > ------------------------------------------------------------
I should point out that this is bad practice for keys used for data encryption, as loss or damage of the card can result in loss of the protected data. US DoD, for example, generates the signature keys on card, but encryption keys off-card and securely injects them, also saving them in a key escrow system. US Federal PIV recommends the same to implementers. So if OpenSC doesn't have this capability, it sorely needs it. > I would be uncomfortable letting any closed-source application, such > as > firmware on a card, generate a key for me. Even more so, as I read > that > many cards have no hardware random number generator and in essence > generate keys from their serial numbers. This feels like walking > directly into a trap. You might be more comfortable with FIPS 140 certified card stock. Then again, you might not. It depends on your level of anti-USG paranoia. :) -- Tim _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
