I did quite a bit of work with the Privacy CA for 1.2. The process, as
described by Pritha, is how I understand it. As for commercially available
Privacy CA's, I don't really know of any that aren't vaporware. Hal
Finney's privacyca.com has been gone for a few years now,
unfortunately. There is at least one in an open source form.
OpenAttestation includes a prototype Privacy CA (
https://github.com/OpenAttestation/OpenAttestation/tree/next/trust-agent/PrivacyCA/src/main/java/gov/niarl/his/privacyca).
It would take some work to get it to work independently, but follows the
basic standards. The code hasn't been touched for a few years, and there
have been relevant updates to the TCG credential standards since then. The
biggest problem that you will face is that there is very little interest in
doing further development on software that is focused specifically on TPM
1.2.
On Fri, Mar 10, 2017 at 12:20 PM, Ken Goldman <[email protected]> wrote:
> I'm not an expert on the TSS side, but I'll try a few comments.
>
> On 3/10/2017 1:32 AM, Pritha Ganguly wrote:
>
> > I can use the Tspi_TPM_CollateIdentity_Request() API to tell the TPM
> > to create a AIK for me. This API returns a certificate request
> > structure(public AIK + Endorsement credential of my TPM) encrypted
> > with the public key of the Privacy CA.
>
> The first part (AIK + EK certificate) sounds right. I never heard of
> encrypting the request with the CA public key.
>
> > I need to send this to the Privacy CA so that the Privacy CA can
> > issue a credential for my AIK.The reply from the Privacy CA will be
> > encrypted by the public EK of my TPM. The encrypted blob I have to
> > pass it to Tspi_TPM_ActivateIdentity() to get the credential.
>
> This sounds correct.
>
> In detail, activate identity likely returns a symmetric key that you use
> to recover the certificate. The certificate is too large to be
> encrypted directly with the EK.
>
> > I have a very basic doubt. Who will behave as the Privacy CA in this
> > case? Do I have to create my own CA?
>
> I have one for TPM 2.0, but not for 1.2. I don't know if there's an
> open source CA.
>
> > Also, how do I send the output of Tspi_TPM_CollateIdentity_Request()
> > to the PrivacyCA, as in what protocol is to be followed for the
> > communication between the TPM and PrivacyCA?
>
> I don't know of any standard.
>
> I converted the blob to json and sent it over a socket.
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Announcing the Oxford Dictionaries API! The API offers world-renowned
> dictionary content that is easy and intuitive to access. Sign up for an
> account today to start using our lexical data to power your apps and
> projects. Get started today and enter our developer competition.
> http://sdm.link/oxford
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
