Although not currently directly related to OpenSC, this project addresses the same needs but in a *very* different way.
The idea is creating a standardized cryptographic container that is only intended for authentication to services on the Internet which means that it is useless as the foundation for a health-card or transportation token. Although some smart card purists will tell you that smart cards already are standardized, the realty is that there is gazillion of framework standards, each giving you an option to "be different". If that were not a fact OpenSC would (more or less) be a redundant project since you would only need to write a card driver once. So this scheme has a high-level API that is similar to PKCS #11 but not (at all) identical since PKCS #11 offers no support for E2ES (End to End Secured) provisioning. In theory you could add this as extensions but I consider that a difficult task since PKCS #11 is already quite complex, and has its own way of looking at the world of cryptographic keys. PKCS #11's SO (Security Officer) role is "virtualized" as a networked token-to-issuer relations. Note: each issuer is an SO for the stuff *they* provisioned only! My solution was creating a specific "Provisioning API" and then have a fairly simple "User API" which can be mapped to PKCS #11, JCE, CryptoAPI etc. Unlike for example GlobalPlatform's E2ES scheme, the KeyGen2/SKS concept offers fully *atomic* (transaction-based) provisioning sessions which means that under normal circumstances (absence of a power-fail exactly during "commit"), you will never end-up will a broken or half-provisioned token. It also mean that the issuer gets full insight (through a *cryptographic proof*) in whether the provisioning succeeded or not. In contrast to most smart card schemes, this concept is also intended to work in mobile phones with embedded security hardware. In such configurations there is no card driver, the secure operations rather take place inside of a dedicated compartment of the CPU itself like in ARM's TrustZone. In addition, the scheme also supports Information Cards, which I think could be important since it combines PKI and federation in a nice way. Everything is in a rather early state but it is already working as an emulator and concept verifier. The next steps include writing a browser extension supporting the 10-pass KeyGen2 provisioning/management protocol as well as committing SKS to USB hardware. Anders _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
