Hi Anders, I'm very interested in these matters too. (Thanks, Roberto, for starting the discussion here!)
>> Moreover, I'm rather curious about SM for digital signature outside >> Italy; is it used at all? > > It is a used by for example Swedish governments for citizens' on-line > tax-declaration. > I believe 500 000 people used it this year. I'm not sure I understand entirely; so the system uses a digital signature, but would you know if it uses secure messaging too? >> If yes, is it implemented in a similar fashion? (SM keys embedded in sw >> libraries?) > > No, I don't think SM has reached out to citizen/consumer PCs for several > reason including a IMHO rather questionable security model. Why would > the libraries be any more trustworthy than the rest of the computer? Do I infer correctly that the system uses secure messaging, but client-side software is limited to relaying encoded APDUs that are generated/decoded by the server-side application? As for your question: I agree entirely with your observation, as there is nothing making client-side libraries more trustworthy or able to shroud the SM keys, yet this is the model by which Italian qualified signatures are deemed compliant with CWA 14169. Thanks! -- Emanuele _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel