On Thu, Jan 19, 2012 at 12:38 AM, NdK <ndk.cla...@gmail.com> wrote: > Il 19/01/2012 09:16, Peter Stuge ha scritto: > > Christian Hohnstaedt wrote: > >> Anything that can be signed by the card can be signed by a software > >> key, too. > > Yes of course. But the point is that the card can come with the > > special key pre-installed. > I see at least two ways here: > 1) the 'technical' way: have a card that, when issued (= before being > given to the user), already contains a cert for a key generated on-card. > When the user requests a new cert, the old (referencing the same private > key) must be included as a proof (actually, the 'public key' part could > be taken from this cert, simplifying CSR that could even be a simple web > form for the other infos). >
Thanks. I independently just thought of this and seeing your response validates my thought. This method seems much easier than my convoluted approach, but I like even more the method suggested by Christian: the CA just knows the public keys in advance. It's also nice (for both methods: public key or cert exchange) that the user doesn't have to sit there waiting for key generation. On Thu, Jan 19, 2012 at 12:03 AM, Christian Hohnstaedt < christ...@hohnstaedt.de> wrote: > On Wed, Jan 18, 2012 at 11:30:36PM -0800, Frank Cusack wrote: > > verify. There is no way for the user to add that signed data to a > software > > CSR because the key used to sign that data is not available to the user. > > That is what i doubt. > Anything that can be signed by the card can be signed by a software key, > too. > Not if the operation requires that the card add the data, and the key used won't sign raw input data. For example, consider a CA. It doesn't just sign what you pass to it. It adds some locally generated attributes (most importantly a serial number, which can't be user influenced) and signs that. A software key can do all that, of course, but in my proposal we have to already know that the signing (attestation?) key is card generated and resident. My point was that this attestation key is not personalized to the user and can be provisioned in bulk.
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
