Hi Frank, you are right with the German identity card, however our approach is different: Our card (which is no nPA) stores the key required for terminal authentication, not for chip authentication. The key for terminal authentication must be certified by a DVCA, which in turn is certified by a national CVCA. So the challenge is to prove, that the key pair for terminal authentication was actually generated at the secure token in the terminal.
We are just reusing the established authenticated CSR format from TR-03110 and build that into the card. The key for signing the authenticated request can only be used for this specific purpose - this is enforced internally in the card. There is no secure messaging involved, because we only need to provide integrity and authenticity of the CSR. The scheme has no need for confidentiality, as all information is public anyway (CSR and certificate written to the card). Andreas Am 20.01.2012 11:49, schrieb Frank Morgner: > Hi! > >>> I don't think that's enough? It doesn't matter if the card trusts the CA, >>> it's that the CA has to trust the card. >> Difficult to do more with the common cards. > As Andreas said, the German identity card (nPA) has this functionality > (BSI TR-03110). A whole bunch of technical guidelines (TRs) describe > every entity and process needed. Services that use the ID card for > online authentication and identification are already available. > > What Andreas did not mention is that a card's key is actually shared > among multiple cards for privacy reasons. This makes revocation a bit > difficult. So for the nPA we will soon see chip individual keys and/or > group signature schemes. > > Cheers, Frank. > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 171 8334920 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel