Menu
▾
▴
Re: [Opensc-devel] Smartcard HSM built-in root CA?
|
From: Andreas S. <and...@ca...> - 2016-01-13 11:27:46
|
Sure > Can you please be more specific about some aspects of this PKI: > > a) if CardContact goes out of business for any reason, what is the > impact on people using the cards? Will people using the intermediate > certificates signed by your root be able to keep using them until they > expire? How long are they valid? If CardContact goes out of business, then the Scheme Root CA will stop operating and will not issue new device issuer certificates. Existing device issuer can of course continue to operate their CA instance and can produce legitimate SmartCard-HSMs. A device issuer certificate is valid for 8 years. Device certificates have a validity date, which does not exceed the expiration date of the device issuer CA certificate. But remember that these certificates are card-verifiable-certificates not suitable for X.509 based applications. We are not operating a X509 PKI. > > b) if the CardContact root certificate is compromised (private key > stolen, etc), what is the impact on people using the cards? The Scheme Root CA private key is - of course - stored on a SmartCard-HSM with dual-control for both, operation and recovery. The CA is an offline CA. We do our best to protect the Scheme Root CA, but if it would be compromised, a relying party could no longer trust public keys generated in the device. The impact would need to be evaluated in the actual application scenario. Any customer is of course free to become a device issuer himself and even operate his own scheme root CA. This is common for customers that have additional security requirements that we can't (or don't want to) fulfil. > > c) you say that some customers operate their own root, does that mean > they can completely eliminate or replace the "device authentication key" > you create at the factory? The device authentication key is generated during SmartCard-HSM personalization, which can be done by any device issuer. Our business model with the SmartCard-HSM is to license the applet to device issuer and to provide the required infrastructure to produce the devices. At the same time we are a device issuer for the USB and MicroSD based form factor. > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
