If you guys are interested in more technical details on what I hope to
launch as a successor to the existing generation of PKI cards, the
following is it.
Aren't smart cards good enough? From a tamper-resistance point-of-view
yes, but from a provisioning point of view smart cards have a long way to go.
>From the SKS paper:
"even if you buy a $100 card; it still doesn't enable an on-line issuer
to verify that keys were actually created in the card!"
Well, that is of course not entirely correct because some vendors deploy
shared secrets and proprietary software to secure provisioning but these
schemes do not support *end-user* provisioning, COTS SW, and smart
cards (or mobile phones) potentially acquired by the user itself.
Due to this and some other limitations, 99.9% of all consumers use
passwords.
"Air-tight provisioning", the basics:
http://webpki.org/papers/keygen2/secure-key-store.pdf
If you take a look at "Dual-use Device IDs", you will find a novel (?) use of
device certificates.
"Air-tight provisioning", core facility:
http://webpki.org/papers/keygen2/session-key-establishment--security-element-2-server.pdf
Anders Rundgren
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
