The following is the most recent [very preliminary] addition to: http://webpki.org/keygen2.pdf Since I couldn't find any other key-provisioning standard dealing with PIN policies this may not be perfect but it is a least a try.
Comments are very welcome! The following is sent down to the client by the issuer: <KeyGenerationRequest RequestID="I.535100037738" ServerTime="2007-09-01T21:03:24Z" SubmitURL="https://ca.example.com/keygenres" xmlns="http://xmlns.webpki.org/keygen2/alpha/20070901"> // Request a key without PIN protection <RequestedKey ID="Key.1" KeyUsage="encryption"> <KeyAlgorithmData> <RSA KeySize="2048"/> </KeyAlgorithmData> </RequestedKey> // Request a set of keys with PIN protection // The specified policy disallows 11122 but accepts 11223 // 654321 would not be accepted either (sequence) <PINProtection Type="numeric" MinLength="5" MaxLength="8" PatternRestrictions="three-in-a-row sequences"> // The next element is optional and is a way of grouping PINs // so that the user either must specify a single PIN for a set of // keys or one unique PIN per key. <PINGroupProtection Shared="true"> <RequestedKey ID="Key.2" KeyUsage="signature"> <KeyAlgorithmData> <RSA KeySize="2048"/> </KeyAlgorithmData> </RequestedKey> <RequestedKey ID="Key.3" KeyUsage="authentication"> <KeyAlgorithmData> <RSA KeySize="2048"/> </KeyAlgorithmData> </RequestedKey> </PINGroupProtection> </PINProtection> </KeyGenerationRequest> A.R. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto