On 2012-01-19 09:38, NdK wrote: > Il 19/01/2012 09:16, Peter Stuge ha scritto: >> Christian Hohnstaedt wrote: >>> Anything that can be signed by the card can be signed by a software >>> key, too. >> Yes of course. But the point is that the card can come with the >> special key pre-installed. > I see at least two ways here: > 1) the 'technical' way: have a card that, when issued (= before being > given to the user), already contains a cert for a key generated on-card. > When the user requests a new cert, the old (referencing the same private > key) must be included as a proof (actually, the 'public key' part could > be taken from this cert, simplifying CSR that could even be a simple web > form for the other infos). > 2) the 'legal' way (might not be applicable everywhere): when the user > submits a CSR, (s)he must swear that the key have been generated on-card > and is not extractable > > It's the usual chicken-and-egg problem. :)
This is since long solved problem. It is an intrinsic part of GlobalPlatform where you don't really use CSR's and PoP's but a session-key to secure that you are really talking to the card. On http://webpki.org/auth-token-4-the-cloud.html you can find a lot of material on a system that takes this concept to a new level by making the entire provisioning session a transaction. I hope to present it on FOSDEM but I haven't heard from Martin yet... -- Anders > > PS: a doubt just popped in my mind: can I store multiple certs for the > same private key? How? > > BYtE, > Diego. > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel