On 2012-01-19 10:16, Frank Cusack wrote: > On Thu, Jan 19, 2012 at 1:10 AM, Anders Rundgren <anders.rundg...@telia.com > <mailto:anders.rundg...@telia.com>> wrote: > > > This is since long solved problem. It is an intrinsic part of > GlobalPlatform > where you don't really use CSR's and PoP's but a session-key to secure > that you > are really talking to the card. > > On http://webpki.org/auth-token-4-the-cloud.html > you can find a lot of material on a system that takes this concept to > a new level by making the entire provisioning session a transaction. > > I hope to present it on FOSDEM but I haven't heard from Martin yet... > > > Cool. Intel has a similar process for their (non-GP I think) devices. > > Even generically, could SM be used for this? (Or is that in fact what > you are referring to?) It means the CA, not the user, is interacting > with the card, which might even be a good thing.
Indeed I was referring to SM. The big thing is really how the session key is created. Most cards use static symmetric keys but this is a bad solution; SKS uses a combination of ephemeral ECDH keys and a separate attesting card PKI for this purpose. -- Anders > > Someone emailed me privately mentioning SM but I told him he was incorrect > since the CA wasn't part of the SM session. Maybe that's what he meant. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
