Menu
▾
▴
Re: [Opensc-devel] Smartcard HSM built-in root CA?
|
From: Andreas S. <and...@ca...> - 2016-01-12 22:38:31
|
Hi Daniel, the purpose of the SmartCard-HSM PKI is to allow a relying party to authenticate public keys for private keys generated on the device. It does both, proof of possession and proof of correspondence. It also allows using the public key without a certificate, because the internally generated certificate signing request is signed by the device authentication key. In some applications like the n-of-m scheme [1] this is sufficient, i.e. there is no need for another separate PKI to issue certificates that bind the public key to a identity (each SmartCard-HSM has an identity asserted by the device certificate and linked to the device authentication key). This means, that if someone relies on this PKI, he must rely on the device issuer and the correct operation of the systems at the two PKI layers. This is not limited to ourselves, as we have customers that are operating their own root and production CA. Having a full PKI for public key authentication is something that - as far as I know - only the SmartCard-HSM provides for. Other schemes provide key attestation, but typically with a key shared amongst all devices. Andreas [1] http://www.smartcard-hsm.com/docs/SmartCard-HSM_n-of-m_Authentication_V1.0_2015-03-25.pdf On 01/12/2016 11:08 PM, Daniel Pocock wrote: > > > Hi all, > > I was looking at the specs for Smartcard HSM: > > http://www.smartcard-hsm.com/features.html#devaut > > and it suggests that a "Scheme Root CA maintained by CardContact issues > certificates for Device Issuer CAs, which in turn issue an unique device > certificate for each SmartCard-HSM produced." > > Does this mean the card has some dependency on the manufacturer/vendor? > Is this typical? > > Regards, > > Daniel > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
