On 3/10/2017 2:55 PM, Tadd Seiff wrote: > I'm quite sure that in this step there is a session key wrapped with > the main PCA RSA key-pair, the public portion of which you send to > the TPM in TPM_CollateIdentityRequest(...). > > This symmetric/session key is unwrapped and used to decrypt the > larger blob containing the AIK identity proof payload.
I understand the layered wrapping, but I still doubt that the privacy CA's signing key will be able to decrypt. Such dual purpose is discouraged. I also suspect that you would not want the CA signing key to be so exposed to the internet as part of the communication protocol. I imagine it being on a separate server with layers of firewalls shielding it. That is, cryptographically and physically separate the communication protocol from the certificate signing. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
