Dear Frank, we have such a card. Take a look at [1].
The card internally generates a key pair and a CSR as defined in TR-03110 (that is the standard for biometric passports, in particular Extended Access Control). Such an authenticated request contains two signatures: the inner signature is the proof-of-correspondence (I own the private and public key) and the outer signature provides proof-of-origin (the key was generated in an authentic device). Each card contains a device authentication key that gets certified during production. A CA receiving a certificate request must 1. first verify the device authentication certificate read from the card, 2. then verify the outer signature with the public key obtained from the device authentication certificate, 3. then verify the inner signature to prove that the sender actually owns the private key and 4. finally issue a certificate for the public key contained. The scheme is specifically used for remote certificate issuance, where you can not rely on a secure communication channel between the CA and the token. Andreas [1] http://www.cardcontact.de/products/SmartCard-HSM_V1.0.pdf Am 19.01.2012 01:20, schrieb Frank Cusack: > In a CSR, how is it proven that the key resides on a smart card (and > is not exportable)? In my understanding, the CSR is signed by the > private key of the (to be) cert itself. Thus that signature only > proves that the requester actually possesses the private half, not > that the private key resides on a smart card. > > Looking at the cryptoflex command set, I don't see anything there that > would add something to the CSR asserting that the key was generated > on-card. Same for ISO 7816-8, but I could easily be missing > something. Are there card specific APDUs that add some proof? If so, > any pointers to what cards can do this? > > Or is the typical method basically to require use of a "secure" > enrollment station? > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 171 8334920 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel