Menu
▾
▴
Re: [Opensc-devel] Google introduces Web-based smart card
|
From: Alon Bar-L. <alo...@gm...> - 2013-06-14 09:10:55
|
Hi, Sorry, I totally disagree... Manufacturer should manufacture secure platform that can be used for various of implementations. It should be accountable for the operation of the device. The trust within the manufacturer is limited to providing a device with no backdoors. The content, and in this case the private key, should not be exposed to anyone, including the manufacturer if I to trust the device. Establishing manufacturer trust chain will be the same as UEFI, bad for everyone but who ever hold the key for the CA. Had you said that I can somehow generate a public key after I bought the device and enroll it to some 3rd part to have it trusted, I would have agreed. But enforcing trust is not something that should be acceptable. Regards, Alon On Fri, Jun 14, 2013 at 12:03 PM, Andreas Schwier (ML) <and...@ca...> wrote: > As the scheme is based on a piece of hardware it makes sense to trust > the manufacturer to provide a genuine device. > > This way you know the key remains safe on the client side and is not > some software based / man-in-the-middle generated key pair. > > It's quite the same what Anders does with the webpki attestation key and > what we do with the device authentication key in the SmartCard-HSM. > > The key questions is how this network of trusted suppliers will be > build. Who will certify suppliers ? Who operates a root CA that > certifies suppliers ? Will there be a security evaluation of the devices > (like CC) ? > > Andreas > > Am 14.06.2013 10:54, schrieb Alon Bar-Lev: >> Yes, at first read I thought there is nothing new, we can do this with >> existing smartcards... >> >> But then read: >> """ >> Initial Signup: Site sends Javascript call to browser asking for >> public key for user. Browser finds activated U2F, asks it for public >> key to remember for user. U2F returns signed public key (signature is >> by U2F vendor). Site (optionally) verifies public key signature to >> ensure its an accepted vendor and saves public key + attached blob >> (encrypted private key). >> """ >> >> So it is a meter of trust, same as PKI... only that you are forced to >> trust the manufacturer... which is totally wrong. >> >> Initially I thought that each registration will create its own key >> pair... which could have been nice if the device has enough memory. >> Even single key pair is OK if you would like to share it between >> services. >> >> Regards, >> Alon >> >> On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto >> <hel...@gm...> wrote: >>> I love the big brother. >>> >>> >>> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >>>> https://sites.google.com/site/oauthgoog/gnubby >>>> >>>> I think it is actually good that I finally have a competitor! >>>> >>>> Smart Card middleware will be a thing of the past. Hooray! >>>> >>>> Anders >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Windows: >>>> >>>> Build for Windows Store. >>>> >>>> http://p.sf.net/sfu/windows-dev2dev >>>> _______________________________________________ >>>> Opensc-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Windows: >>> >>> Build for Windows Store. >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > --------- CardContact Software & System Consulting > |.##> <##.| Andreas Schwier > |# #| Schülerweg 38 > |# #| 32429 Minden, Germany > |'##> <##'| Phone +49 571 56149 > --------- http://www.cardcontact.de > http://www.tscons.de > http://www.openscdp.org > > > -- > > --------- CardContact Software & System Consulting > |.##> <##.| Andreas Schwier > |# #| Schülerweg 38 > |# #| 32429 Minden, Germany > |'##> <##'| Phone +49 571 56149 > --------- http://www.cardcontact.de > http://www.tscons.de > http://www.openscdp.org > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
