On Mon, Aug 6, 2012 at 11:30 AM, Anders Rundgren <anders.rundg...@telia.com> wrote: > On 2012-08-06 11:23, Andreas Schwier wrote: >> I would assume, that checking constraints is the job of the RA, not the CA. >> >> Anyway, our design works the other way around: The card generates the >> CSR internally, so the RA/CA can prove the key was generated in a >> legitimate device. The device can be anywhere out in the wild. > > Which is the future for smart cards, otherwise they must be physically > distributed after provisioning.
But how do you prove that the key was generated in the card? You'd need some kind of provisioning to do that. regards, Nikos _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
