On 2012-08-06 12:51, Nikos Mavrogiannopoulos wrote: > On Mon, Aug 6, 2012 at 11:30 AM, Anders Rundgren > <anders.rundg...@telia.com> wrote: >> On 2012-08-06 11:23, Andreas Schwier wrote: >>> I would assume, that checking constraints is the job of the RA, not the CA. >>> >>> Anyway, our design works the other way around: The card generates the >>> CSR internally, so the RA/CA can prove the key was generated in a >>> legitimate device. The device can be anywhere out in the wild. >> >> Which is the future for smart cards, otherwise they must be physically >> distributed after provisioning. > > But how do you prove that the key was generated in the card? You'd > need some kind of provisioning to do that.
The card (crypto module) should contain a key provisioned during manufacturing that is restricted to only attest public keys. A certificate fingerprint of the attestation key certificate is then typically used for identifying the crypto module. I see this primarily as a very useful method for "cloning" an ID. Lets say that you have an eID and you rather want a mobile ID in the Y2014 model of Android. Then browse to the eID RA, authenticate with your eID, type the 8 first characters of the Android attestation certificate fingerprint, and ask for a "clone" to device with phone +46nnnnnnnn. You get an SMS with an URL that you click on that will take you to enroll. If the eID RA accepts this device brand (based on attestation certificate) and the fingerprint matches you will get a new certificate in your phone. Naturally the entire process must be carried out using some kind of secure messaging mechanism. This could be called SCC (Secure Credential Cloning). Yes, the eID will most likely only be a "bootstrap" credential that you keep in a drawer... However, the same concept can also be used in M2M communication ike required by SPOC, ATMs, etc. Anders > > regards, > Nikos > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
