Re: A PKI Question: PKCS11-> PKCS12

[<jim.essig@xxxxxxxxxxxxxxxx>]

If your smart card supports PKCS 12 (export), you have the ability to move
your keys to another device, usually for disaster recovery. This is
appropriate for CA keys. A typical user should not need this capability for
normal business.

-Jim





Baber Amin <BAMIN@xxxxxxxxxx> on 11/27/2001 02:06:05 PM





To:   raghavh@xxxxxxxxxxxxxxx
      Jim Essig/US/ABAS/PwC@xxxxxxxxxxx
cc:   ietf-pkix@xxxxxxx
Subject:  Re: A PKI Question: PKCS11-> PKCS12


So how would one move their keys and certs from one smart card to
another.

Thanks
Baber
:)

>>> <jim.essig@xxxxxxxxxxxxxxxx> 11/27/01 11:24AM >>>


The purpose of storing a private key in a smart card, is exactly that
"to
jail it". By being able to move the private key to another device you
run
the risk of a malicious user having a copy of your private key and
using
that private key to impersonate you. The reason to have a smart card is
to
provide a secure means to transport, store and use your private key
for
authentication and/or encryption. A Smart card user may have a
legitimate
"want" to move their key to another smart card, but this would
circumuvent
the point of the smart card. The purpose is not to just be able to
transport the key, otherwise everyone would use 3.5" floppies.

Hope this answered your question.

-Jim




"RAGHAVENDRAN H. (SSG) - CTD, Chennai." <raghavh@xxxxxxxxxxxxxxx>
@mail.imc.org on 11/27/2001 11:17:19 AM

Sent by:  owner-ietf-pkix@xxxxxxxxxxxx






To:   ietf-pkix@xxxxxxx
cc:
Subject:  A PKI Question: PKCS11-> PKCS12



Hi List:

Sorry this may be off the list, but I thought this is the best "PKI"
place
to ask this question :-)

Myself and my friend had an discussion in which he says that when I put
a
private key/certificate pair into a smart card device (such as GPK
4000),
it
is impossible to read the information and create a PKCS12 file (disk
based)
out of it.

I find it mighty strange. For example, I might want to swap my
certificate/key pair from one smart card to another and I might want to
do
it via the PKCS12 format.

Can anybody say whether this is possible or not?

Some of my friends say that it "may be" possible to export only the
Certificate and not the private key associated with it. I don't see
sense
any of this argument.

In fact, what is the point in jailing the private key for life in a
single
smart card? This argument is totally contrary to logical thinking.

Pls. guys, I'd be grateful if you could answer this question.

Regards,
Raghav

----------------------------------------------------------------
The information transmitted is intended only for the person or entity
to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of,
or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you
received
this in error, please contact the sender and delete the material from
any
computer.


----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.