[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: A PKI Question: PKCS11-> PKCS12

To: "'RAGHAVENDRAN H. (SSG) - CTD, Chennai.'" <raghavh@xxxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: A PKI Question: PKCS11-> PKCS12
From: Hal Lockhart <hal.lockhart@xxxxxxxxxxxxx>
Date: Tue, 27 Nov 2001 13:59:44 -0500
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Title: RE: A PKI Question: PKCS11-> PKCS12

Generating a secret on a smartcard and having it never leave the card is a major security feature to many people. For example, I believe it is mandated by Identrus for financial transactions. It is certainly a major motive for using smartcards, since it insures that all copies of the key are protected, not just one of them. It also insures that an attacker can not read out the key and use it in some environment where the card is not present.

On the other hand, many people believe in the benefits of key backup, particularly in a corporate environment, where the assets being protected belong to the organization not the individual. Also some folks believe that a central facility can do a better job of generating unguessable keys than a smartcard with limited processing power.

There is never any reason to protect certificates, since they are signed and intended to be public knowledge. They tend to take a lot of precious space on a smartcard. But, given the lack of a universally deployed directory infrastructure, it is convenient to have them "with you".

However, trusted root keys (which may be held in a self signed certificate for processing convenience) must be protected from modification.

Hal

> -----Original Message-----
> From: RAGHAVENDRAN H. (SSG) - CTD, Chennai.
> [mailto:raghavh@xxxxxxxxxxxxxxx]
> Sent: Tuesday, November 27, 2001 11:17 AM
> To: ietf-pkix@xxxxxxx
> Subject: A PKI Question: PKCS11-> PKCS12
>
>
>
> Hi List:
>
> Sorry this may be off the list, but I thought this is the
> best "PKI" place
> to ask this question :-)
>
> Myself and my friend had an discussion in which he says that
> when I put a
> private key/certificate pair into a smart card device (such
> as GPK 4000), it
> is impossible to read the information and create a PKCS12
> file (disk based)
> out of it.
>
> I find it mighty strange. For example, I might want to swap my
> certificate/key pair from one smart card to another and I
> might want to do
> it via the PKCS12 format.
>
> Can anybody say whether this is possible or not?
>
> Some of my friends say that it "may be" possible to export only the
> Certificate and not the private key associated with it. I
> don't see sense
> any of this argument.
>
> In fact, what is the point in jailing the private key for
> life in a single
> smart card? This argument is totally contrary to logical thinking.
>
> Pls. guys, I'd be grateful if you could answer this question.
>
> Regards,
> Raghav
>

Prev by Date: Re: A PKI Question: PKCS11-> PKCS12
Next by Date: Re: A PKI Question: PKCS11-> PKCS12
Previous by thread: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12
Next by thread: RE: A PKI Question: PKCS11-> PKCS12
Index(es):
- Date
- Thread