Menu
▾
▴
[Ejbca-develop] SmartCard-HSM as remote key store / Was:Re: Problem Creating a CVC CA in ejbca 6.2.0
|
From: Andreas S. <and...@ca...> - 2014-07-21 09:57:08
|
Would be interesting to get something like this integrated with EJBCA. That shouldn't be too complicated: The server side is just a small servlet that provides the APDU channel via HTTP to the device on the client side. The servlet talks to OCF on the server and a JCE Provider on top of it. The CA would just need to access the private key operation via JCE. Andreas On 07/16/2014 10:17 PM, Tomas Gustavsson wrote: > Yeah, I read on the demo page about CA as a service, where you keep the CA keys on the smart card, in your control. > This is a very interesting and innovative concept I think. Very cool, and we'll done. > > /Tomas > > On July 16, 2014 10:11:09 PM CEST, Andreas Schwier <and...@ca...> wrote: >> I guess I have to clarify how the SmartCard-HSM relates to CVCs: >> >> In it's core, the SmartCard-HSM is a secure key store for RSA and ECC >> keys, that unlike other PKI token has key management function that you >> normally find in large (and expensive) HSMs (Key Backup, Cluster >> Operation, Key Offloading). >> >> One of these function is the ability to have a trusted channel between >> the device and the RA/CA. This trusted channel is established using >> Chip >> Authentication known from ePassports and eID cards. But while in >> Passports the authenticity of the chip authentication public key is >> based on passive authentication and the docsigner / CSCA certificate, >> the authenticity in the SC-HSM is proved using a CVC based PKI. >> >> Just like in EAC, where you have a CVCA, DVCA and terminal certificate, >> in a SmartCard-HSM you have a Scheme Root CA (CRCA), Device Issuer CA >> (DICA) and a device certificate. The ECC public key for chip >> authentication is certified in the device certificate and linked to the >> unique id of the SmartCard-HSM. >> >> In addition, newly generated public keys are exported in the >> authenticated CVC request format as per TR-03110. The inner signature >> is >> provided by the private key, the outer signature by the device >> authentication key or any other key on the device. The later is used in >> an EAC PKI to renew certificates. >> >> The SmartCard-HSM can of course be used with EJBCA, either via OpenSC >> or >> using the multithreading-enabled PKCS#11 Module from the >> sc-hsm-embedded >> project. >> >> Andreas >> >> >> On 07/16/2014 08:50 AM, Christian Felsing wrote: >>> Am 15.07.14 15:29, schrieb Tomas Gustavsson: >>>> >>>> On 2014-07-15 13:38, Christian Felsing wrote: >>>>> Hello, >>>>> >>>>> while trying to create a CVC CA in EJBCA Community I got following >> message: >>>>> >>>>> CVC CA type is not available in this version of EJBCA >>>>> >>>>> Does that mean community edition does not support CVC? >>>> >>>> That is correct. Since it's so specific for country/government usage >> >>>> there is no possibility to maintain it for free, and the community >> is >>>> pretty small. >>>> >>>> Cheers, >>>> Tomas >>> >>> CVC is not only for government related applications, there is an open >> source project sc-hsm which also supports CVC, because that >>> card will claim to be suitable for CVC applications. With this card >> ejbca may become a solution für CVC based application besides >>> government applications. >>> >>> At demo.openscdp.org s a demo for EAC-PKI applications. >>> >>> cheers >>> Christian >>> >>> >> ------------------------------------------------------------------------------ >>> Want fast and easy access to all the code in your enterprise? Index >> and >>> search up to 200,000 lines of code with a free copy of Black Duck >>> Code Sight - the same software that powers the world's largest code >>> search on Ohloh, the Black Duck Open Hub! Try it now. >>> http://p.sf.net/sfu/bds >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> >> -- >> >> --------- CardContact Software & System Consulting >> |.##> <##.| Andreas Schwier >> |# #| Schülerweg 38 >> |# #| 32429 Minden, Germany >> |'##> <##'| Phone +49 571 56149 >> --------- http://www.cardcontact.de >> http://www.tscons.de >> http://www.openscdp.org >> http://www.smartcard-hsm.com >> >> >> ------------------------------------------------------------------------------ >> Want fast and easy access to all the code in your enterprise? Index and >> search up to 200,000 lines of code with a free copy of Black Duck >> Code Sight - the same software that powers the world's largest code >> search on Ohloh, the Black Duck Open Hub! Try it now. >> http://p.sf.net/sfu/bds >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
