Re: [opensc-devel] proving a key is on a smart card

Hi Frank, you are right with the German identity card, however our approach is different: Our card (which is no nPA) stores the key required for terminal authentication, not for chip authentication. The key for terminal authentication must be certified by a DVCA, which in turn is certified by a na

Re: [opensc-devel] proving a key is on a smart card

Hi! > > I don't think that's enough? It doesn't matter if the card trusts the CA, > > it's that the CA has to trust the card. > Difficult to do more with the common cards. As Andreas said, the German identity card (nPA) has this functionality (BSI TR-03110). A whole bunch of technical guideline

Re: [opensc-devel] proving a key is on a smart card

TPMs already have an EK (Endorsement Key) on the chip. However, the TPM guys didn't look into SM (Secure Messaging) so at least the current version (1.2) is quite crippled. Microsoft intends making TPM 2.0 a standard feature in W8 "pads". Their take on secure silicon is making it a part of the CP

Re: [opensc-devel] proving a key is on a smart card

On Thu, Jan 19, 2012 at 7:25 PM, Frank Cusack wrote: > On Thu, Jan 19, 2012 at 2:27 AM, Viktor Tarasov > wrote: > >> >> >> On Thu, Jan 19, 2012 at 9:52 AM, Frank Cusack wrote: >> >>> On Wed, Jan 18, 2012 at 11:57 PM, Viktor Tarasov < >>> viktor.tara...@gmail.com> wrote: >>> On Thu, Jan 19,

Re: [opensc-devel] proving a key is on a smart card

On 2012-01-19 10:16, Frank Cusack wrote: > On Thu, Jan 19, 2012 at 1:10 AM, Anders Rundgren > wrote: > > > This is since long solved problem. It is an intrinsic part of > GlobalPlatform > where you don't really use CSR's and PoP's but a session-key to

Re: [opensc-devel] proving a key is on a smart card

On Thu, Jan 19, 2012 at 1:10 AM, Anders Rundgren wrote: > > This is since long solved problem. It is an intrinsic part of > GlobalPlatform > where you don't really use CSR's and PoP's but a session-key to secure > that you > are really talking to the card. > > On http://webpki.org/auth-token-4-th

Re: [opensc-devel] proving a key is on a smart card

On Thu, Jan 19, 2012 at 12:38 AM, NdK wrote: > Il 19/01/2012 09:16, Peter Stuge ha scritto: > > Christian Hohnstaedt wrote: > >> Anything that can be signed by the card can be signed by a software > >> key, too. > > Yes of course. But the point is that the card can come with the > > special key p

Re: [opensc-devel] proving a key is on a smart card

On 2012-01-19 09:38, NdK wrote: > Il 19/01/2012 09:16, Peter Stuge ha scritto: >> Christian Hohnstaedt wrote: >>> Anything that can be signed by the card can be signed by a software >>> key, too. >> Yes of course. But the point is that the card can come with the >> special key pre-installed. > I se

Re: [opensc-devel] proving a key is on a smart card

Dear Frank, we have such a card. Take a look at [1]. The card internally generates a key pair and a CSR as defined in TR-03110 (that is the standard for biometric passports, in particular Extended Access Control). Such an authenticated request contains two signatures: the inner signature is the p

Re: [opensc-devel] proving a key is on a smart card

Il 19/01/2012 09:16, Peter Stuge ha scritto: > Christian Hohnstaedt wrote: >> Anything that can be signed by the card can be signed by a software >> key, too. > Yes of course. But the point is that the card can come with the > special key pre-installed. I see at least two ways here: 1) the 'technic

Re: [opensc-devel] proving a key is on a smart card

Seriously, please trim replies. Christian Hohnstaedt wrote: > Anything that can be signed by the card can be signed by a software > key, too. Yes of course. But the point is that the card can come with the special key pre-installed. //Peter ___ opensc

Re: [opensc-devel] proving a key is on a smart card

On Wed, Jan 18, 2012 at 11:30:36PM -0800, Frank Cusack wrote: > On Wed, Jan 18, 2012 at 11:04 PM, Christian Hohnstaedt < > christ...@hohnstaedt.de> wrote: > > > On Wed, Jan 18, 2012 at 04:20:05PM -0800, Frank Cusack wrote: > > > In a CSR, how is it proven that the key resides on a smart card (and

Re: [opensc-devel] proving a key is on a smart card

Frank Cusack wrote: > For example, if I had some key/cert on the card (and I know it can only > exist on the card -- this might happen before it is shipped to me or in > bulk secure provisioning on site) that is not able to be used for anything > externally. ie, you cannot encrypt,decrypt,sign or

Re: [opensc-devel] proving a key is on a smart card

On Wed, Jan 18, 2012 at 11:04 PM, Christian Hohnstaedt < christ...@hohnstaedt.de> wrote: > On Wed, Jan 18, 2012 at 04:20:05PM -0800, Frank Cusack wrote: > > In a CSR, how is it proven that the key resides on a smart card (and is > not > > exportable)? In my understanding, the CSR is signed by the

Re: [opensc-devel] proving a key is on a smart card

On Wed, Jan 18, 2012 at 04:20:05PM -0800, Frank Cusack wrote: > In a CSR, how is it proven that the key resides on a smart card (and is not > exportable)? In my understanding, the CSR is signed by the private key of > the (to be) cert itself. Thus that signature only proves that the > requester a

[opensc-devel] proving a key is on a smart card

In a CSR, how is it proven that the key resides on a smart card (and is not exportable)? In my understanding, the CSR is signed by the private key of the (to be) cert itself. Thus that signature only proves that the requester actually possesses the private half, not that the private key resides o