Dear Frank,

we have such a card. Take a look at [1].

The card internally generates a key pair and a CSR as defined in
TR-03110 (that is the standard for biometric passports, in particular
Extended Access Control). Such an authenticated request contains two
signatures: the inner signature is the proof-of-correspondence (I own
the private and public key) and the outer signature provides
proof-of-origin (the key was generated in an authentic device).

Each card contains a device authentication key that gets certified
during production. A CA receiving a certificate request must

1. first verify the device authentication certificate read from the card,
2. then verify the outer signature with the public key obtained from the
device authentication certificate,
3. then verify the inner signature to prove that the sender actually
owns the private key and
4. finally issue a certificate for the public key contained.

The scheme is specifically used for remote certificate issuance, where
you can not rely on a secure communication channel between the CA and
the token.

Andreas

[1] http://www.cardcontact.de/products/SmartCard-HSM_V1.0.pdf

Am 19.01.2012 01:20, schrieb Frank Cusack:
> In a CSR, how is it proven that the key resides on a smart card (and
> is not exportable)?  In my understanding, the CSR is signed by the
> private key of the (to be) cert itself.  Thus that signature only
> proves that the requester actually possesses the private half, not
> that the private key resides on a smart card.
>
> Looking at the cryptoflex command set, I don't see anything there that
> would add something to the CSR asserting that the key was generated
> on-card.  Same for ISO 7816-8, but I could easily be missing
> something.  Are there card specific APDUs that add some proof?  If so,
> any pointers to what cards can do this?
>
> Or is the typical method basically to require use of a "secure"
> enrollment station?
>
>
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 171 8334920
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org


_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to