[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12

To: <raghavh@xxxxxxxxxxxxxxx>, <hal.lockhart@xxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <anders.rundgren@xxxxxxxxx>, <jim.essig@xxxxxxxxxxxxxxxx>
Subject: RE: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12
From: "Baber Amin" <BAMIN@xxxxxxxxxx>
Date: Wed, 28 Nov 2001 10:07:05 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I can see Anders way of doing things if the key o the card was only
being used for signing.  Thus, when a new device is instantiated by the
CA, the cert on the old device can be put on a revocation list.  The
signature check mechanism can still validate signatures done using the
old device as long as they are before the revocation date.
However, if I use the key on the card for encryption, then I would
really like to move my key to a newer safer, better card.  Or I may want
to consolidate more than one private key onto a card.  
I envision, having keys from an employer, a bank, federal or state
government identifying keys; all on the same card.  They should,
however,  be protected with separate pins, so that I can unlock a
particular key without cross contamination.

Thanks
Baber
:)  

>>> Hal Lockhart <hal.lockhart@xxxxxxxxxxxxx> 11/28/01 09:32AM >>>
So you get a new cert and a new key pair. In what sense is this a
copy?

Hal

> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@xxxxxxxxx] 
> Sent: Tuesday, November 27, 2001 2:31 PM
> To: jim.essig@xxxxxxxxxxxxxxxx; raghavh@xxxxxxxxxxxxxxx 
> Cc: ietf-pkix@xxxxxxx 
> Subject: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12
> 
> 
> 
> 
> Raghav,
> This is how I envision that you could make a "copy" of a 
> smart PKI-card
> in a secure way:
> 
> Using the original smart card (with cert. + priv. key) you 
> authenticate to
> the CA.  Based on the login the CA *could* allow you to do a 
> certificate
> request using a new "fresh" card with built-in key-gen. 
> 
> There are PKIX-efforts like SACRED that seems to address your 
> whish but I
> think that the above is a better way to do it, as does not 
> need export of private keys.
> In addition you can always trace an authentication or signing 
> to a particular
> device/key-container.
> 
> Regards
> Anders
> 
> ----- Original Message ----- 
> From: <jim.essig@xxxxxxxxxxxxxxxx>
> To: <raghavh@xxxxxxxxxxxxxxx>
> Cc: <ietf-pkix@xxxxxxx>
> Sent: Tuesday, November 27, 2001 19:24
> Subject: Re: A PKI Question: PKCS11-> PKCS12
> 
> 
> 
> 
> The purpose of storing a private key in a smart card, is 
> exactly that "to
> jail it". By being able to move the private key to another 
> device you run
> the risk of a malicious user having a copy of your private 
> key and using
> that private key to impersonate you. The reason to have a 
> smart card is to
> provide a secure means to transport, store and use your 
> private key for
> authentication and/or encryption. A Smart card user may have 
> a legitimate
> "want" to move their key to another smart card, but this 
> would circumuvent
> the point of the smart card. The purpose is not to just be able to
> transport the key, otherwise everyone would use 3.5" floppies.
> 
> Hope this answered your question.
> 
> -Jim
> 
> 
> 
> 
> "RAGHAVENDRAN H. (SSG) - CTD, Chennai." <raghavh@xxxxxxxxxxxxxxx>
> @mail.imc.org on 11/27/2001 11:17:19 AM
> 
> Sent by:  owner-ietf-pkix@xxxxxxxxxxxx 
> 
> 
> 
> 
> 
> 
> To:   ietf-pkix@xxxxxxx 
> cc:
> Subject:  A PKI Question: PKCS11-> PKCS12
> 
> 
> 
> Hi List:
> 
> Sorry this may be off the list, but I thought this is the 
> best "PKI" place
> to ask this question :-)
> 
> Myself and my friend had an discussion in which he says that 
> when I put a
> private key/certificate pair into a smart card device (such 
> as GPK 4000),
> it
> is impossible to read the information and create a PKCS12 
> file (disk based)
> out of it.
> 
> I find it mighty strange. For example, I might want to swap my
> certificate/key pair from one smart card to another and I 
> might want to do
> it via the PKCS12 format.
> 
> Can anybody say whether this is possible or not?
> 
> Some of my friends say that it "may be" possible to export only the
> Certificate and not the private key associated with it. I 
> don't see sense
> any of this argument.
> 
> In fact, what is the point in jailing the private key for 
> life in a single
> smart card? This argument is totally contrary to logical thinking.
> 
> Pls. guys, I'd be grateful if you could answer this question.
> 
> Regards,
> Raghav
> 
> ----------------------------------------------------------------
> The information transmitted is intended only for the person 
> or entity to
> which it is addressed and may contain confidential and/or privileged
> material.  Any review, retransmission, dissemination or other 
> use of, or
> taking of any action in reliance upon, this information by persons
or
> entities other than the intended recipient is prohibited.   
> If you received
> this in error, please contact the sender and delete the 
> material from any
> computer.
> 
>

Prev by Date: RE: A PKI Question: PKCS11-> PKCS12
Next by Date: Re: A PKI Question: PKCS11-> PKCS12
Previous by thread: Re: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12
Next by thread: ANNOUNCE: ISOC Netw. & Distr. Sys. Security Symp. (NDSS'02)
Index(es):
- Date
- Thread