Menu
▾
▴
Re: [Ejbca-develop] Problem Creating a CVC CA in ejbca 6.2.0
|
From: Tomas G. <to...@pr...> - 2014-07-16 20:19:27
|
Yeah, I read on the demo page about CA as a service, where you keep the CA keys on the smart card, in your control. This is a very interesting and innovative concept I think. Very cool, and we'll done. /Tomas On July 16, 2014 10:11:09 PM CEST, Andreas Schwier <and...@ca...> wrote: >I guess I have to clarify how the SmartCard-HSM relates to CVCs: > >In it's core, the SmartCard-HSM is a secure key store for RSA and ECC >keys, that unlike other PKI token has key management function that you >normally find in large (and expensive) HSMs (Key Backup, Cluster >Operation, Key Offloading). > >One of these function is the ability to have a trusted channel between >the device and the RA/CA. This trusted channel is established using >Chip >Authentication known from ePassports and eID cards. But while in >Passports the authenticity of the chip authentication public key is >based on passive authentication and the docsigner / CSCA certificate, >the authenticity in the SC-HSM is proved using a CVC based PKI. > >Just like in EAC, where you have a CVCA, DVCA and terminal certificate, >in a SmartCard-HSM you have a Scheme Root CA (CRCA), Device Issuer CA >(DICA) and a device certificate. The ECC public key for chip >authentication is certified in the device certificate and linked to the >unique id of the SmartCard-HSM. > >In addition, newly generated public keys are exported in the >authenticated CVC request format as per TR-03110. The inner signature >is >provided by the private key, the outer signature by the device >authentication key or any other key on the device. The later is used in >an EAC PKI to renew certificates. > >The SmartCard-HSM can of course be used with EJBCA, either via OpenSC >or >using the multithreading-enabled PKCS#11 Module from the >sc-hsm-embedded >project. > >Andreas > > >On 07/16/2014 08:50 AM, Christian Felsing wrote: >> Am 15.07.14 15:29, schrieb Tomas Gustavsson: >>> >>> On 2014-07-15 13:38, Christian Felsing wrote: >>>> Hello, >>>> >>>> while trying to create a CVC CA in EJBCA Community I got following >message: >>>> >>>> CVC CA type is not available in this version of EJBCA >>>> >>>> Does that mean community edition does not support CVC? >>> >>> That is correct. Since it's so specific for country/government usage > >>> there is no possibility to maintain it for free, and the community >is >>> pretty small. >>> >>> Cheers, >>> Tomas >> >> CVC is not only for government related applications, there is an open >source project sc-hsm which also supports CVC, because that >> card will claim to be suitable for CVC applications. With this card >ejbca may become a solution für CVC based application besides >> government applications. >> >> At demo.openscdp.org s a demo for EAC-PKI applications. >> >> cheers >> Christian >> >> >------------------------------------------------------------------------------ >> Want fast and easy access to all the code in your enterprise? Index >and >> search up to 200,000 lines of code with a free copy of Black Duck >> Code Sight - the same software that powers the world's largest code >> search on Ohloh, the Black Duck Open Hub! Try it now. >> http://p.sf.net/sfu/bds >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > >-- > > --------- CardContact Software & System Consulting > |.##> <##.| Andreas Schwier > |# #| Schülerweg 38 > |# #| 32429 Minden, Germany > |'##> <##'| Phone +49 571 56149 > --------- http://www.cardcontact.de > http://www.tscons.de > http://www.openscdp.org > http://www.smartcard-hsm.com > > >------------------------------------------------------------------------------ >Want fast and easy access to all the code in your enterprise? Index and >search up to 200,000 lines of code with a free copy of Black Duck >Code Sight - the same software that powers the world's largest code >search on Ohloh, the Black Duck Open Hub! Try it now. >http://p.sf.net/sfu/bds >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
