Hi,
The project http://android-keystore-v2.webpki.org of mine may look pretty
dead and that is right because I have been busy creating a specification
( http://webpki.org/papers/keygen2/sks-api-arch.pdf ), and a reference
implementation before taking on a difficult target like Android.
http://code.google.com/p/openkeystore/source/browse/trunk/library/src/org/webpki/sks/test/SKSReferenceImplementation.java
This is preliminary and not 100% aligned with the specification but it
does already in the current incarnation support remote provisioning
and *management* of
- Symmetric keys (for OTP etc.)
- PKI
- Information Cards
- PINs, and PUKs
- Logotypes
- Arbitrary key attribute data
using an E2ES (End-to-End Secured) scheme.
As you can see complexity is fairly low which IMO is a prerequisite for
reaching
out to consumers on a huge variety of platforms.
The only thing that is non-trivial is the protocol which currently requires
up to 10 (!) passes. The reason for that is that you must take things in
steps in order to protect user privacy, negotiate algorithms, creating
shared
provisioning session keys, and providing a foundation for secure and
*robust*
management of remote keys belonging to an arbitrary number of
*independent* issuers.
Although the reference implementation is written in Java, I don't
believe that
it is a suitable solution for Android since the keystore should be a
*shared*
and *protected* resource which calls for some kind of "daemon" belonging to
the core platform. If somebody out there would be interested in
collaborating
creating a true Android implementation, please drop me a line!
-- Anders
http://webpki.org/auth-token-4-the-cloud.html
