Andreas Jellinghaus wrote: > Am Dienstag 06 April 2010 10:04:00 schrieb Anders Rundgren: >> OpenSC will get Secure Messaging some day it seems based on the Wiki. >> >> What I don't understand is how you are supposed to use Secure Messaging >> since it works on the APDU-level which is invisible from PKCS #11. > > I'm no expert, but I guess you need a card driver and profile that > is designed to work with secure messaging from ground up. > > No idea how well PKCS#15 helps here. With some other cards you > only read a chip serial number or number given to the card > (e.g. issuer serial number), and then start secure messaging > based on a key issued to the card. not sure if PKCS#15 has any > way to implement something like that.
I'm still curious about the applications that OpenSC target with SM. One application seem to be limiting access to ACL-controlled data on the card (biometrics, health records, etc) which IMO is fairly uninteresting since ISO/EIC has defined a new middleware framework for that purpose which I think is the foundation for the German e-card as well. A more generally applicable use of SM is for provisioning cards because currently you can't actually see the difference of keys generated outside of a card or inside of it. Although you are supposed to "trust" the middleware for doing the right thing, I believe this model is broken (you should trust middleware but not *blindly*), and some kind of SM is probably going to be standard some day. At least that is what the GlobalPlatform people say. GlobalPlatform is currently in a transition phase from using shared secrets to using PKI for on-card pre-provisioned keys. SCP10 is the ETSI name of the PKI-version of SM. Anders _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
