Anders Rundgren wrote:
>> So what is then real problem?
>> 1. The European Smart Card industry who do not want to become suppliers
>> of commodities.
>???
>Each time I talked to smartcard vendors they were keen on selling their
>stuff. The more the better.
You mean there is a standard blank smartcard that you can buy from
multiple vendors that works right-out-of-the-box in most computer
systems? Using what kind of standard personalization software?
Different vendors have different smartcards but you can use them from
different applications through PKCS#11 and CAPI/CSP. The software
quality differs.
You claimed that banks do not use PKI with smartcards for authc because
there's nothing available. I don't think so. The banks do not want to
get involved with supporting software/hardware installed at the user's
PC. You should look at the HBCI history.
>> To achieve that we need a whole bunch of enablement technologies.
>> Most of the PKIX enrollment stuff will be obsolete in 5-10 years from
>> now
>I'd never trust a system where the mobile phone vendor initializes a key
>to avoid an enrollment process. If you really plan to establish such a
>system be assured that I will fight against this.
The idea is rather than the phone vendor provides an Open Key Container
which is initialized by a certified device key which is used for key
attestations:
And how is the device key certified to establish trust?
http://tinyurl.com/6rg7ap <http://tinyurl.com/6rg7ap>
Pretty vague.
This all does not solve the basic problem which is: People are too lazy
to use this technology to mitigate risks if they are not forced to use
it (by law or security policy).
Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
