Il 19/01/2012 09:16, Peter Stuge ha scritto: > Christian Hohnstaedt wrote: >> Anything that can be signed by the card can be signed by a software >> key, too. > Yes of course. But the point is that the card can come with the > special key pre-installed. I see at least two ways here: 1) the 'technical' way: have a card that, when issued (= before being given to the user), already contains a cert for a key generated on-card. When the user requests a new cert, the old (referencing the same private key) must be included as a proof (actually, the 'public key' part could be taken from this cert, simplifying CSR that could even be a simple web form for the other infos). 2) the 'legal' way (might not be applicable everywhere): when the user submits a CSR, (s)he must swear that the key have been generated on-card and is not extractable
It's the usual chicken-and-egg problem. :) PS: a doubt just popped in my mind: can I store multiple certs for the same private key? How? BYtE, Diego. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
