1. The encryption of the identity request is not necessarily done using the
signing key. I see this as an alternate to HTTPS, where the blob is
encrypted using communication key. It would be unusual to have the CA's web
security using the same key that is used to sign certs.
2. All of this encryption is done by encrypting using a symmetric session
key, which is wrapped in a structure and then encrypted using the RSA key.
It's a symmetric process -- the resulting AIC is wrapped in the same way
with the EK, and unpacked on the client side using the ActivateIdentity
command. Most of the process is handled by software (TrouSerS). The TPM
uses the EK to unwrap the structure containing the AES key that is used by
software to decrypt the larger blob containing the cert.
On Fri, Mar 10, 2017 at 2:28 PM, Ken Goldman <[email protected]> wrote:
> On 3/10/2017 12:33 PM, Chris Hawkins wrote:
> > I did quite a bit of work with the Privacy CA for 1.2. The process, as
> > described by Pritha, is how I understand it.
>
> The one part I question is the client sending the blob with the AIK
> public key and EK certificate to the CA "encrypted with the public key
> of the Privacy CA".
>
> 1 - This means that the CA would have to use its signing private key in
> a decryption operation. Such a dual purpose CA key would be unusual.
>
> 2 - It's unlikely that the CA (RSA) public key would be large enough to
> encrypt that blob.
>
>
>
> ------------------------------------------------------------
> ------------------
> Announcing the Oxford Dictionaries API! The API offers world-renowned
> dictionary content that is easy and intuitive to access. Sign up for an
> account today to start using our lexical data to power your apps and
> projects. Get started today and enter our developer competition.
> http://sdm.link/oxford
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
