[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12

To: "Hal Lockhart" <hal.lockhart@xxxxxxxxxxxxx>, <raghavh@xxxxxxxxxxxxxxx>
Subject: Re: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Wed, 28 Nov 2001 19:12:34 +0100
Cc: <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Title: RE: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12

Hal,

The copy was "quoted" to indicate that this is a copy "in principle"

as the new cert and key should be interchangable with the old cert and key

for authentication and signing purposes.

But as noted by Baber Amin, this is not applicable to encryption

where the actual key value is required.

In Sweden the original electronic ID-card had indeed three keys

to cope with this situation, but due to Windows' lack of support

for that, the current version have a shared authentication and

encryption key/certificate.

Anders

----- Original Message -----

From: Hal Lockhart

To: 'Anders Rundgren' ; jim.essig@xxxxxxxxxxxxxxxx ; raghavh@xxxxxxxxxxxxxxx

Cc: ietf-pkix@xxxxxxx

Sent: Wednesday, November 28, 2001 17:32

Subject: RE: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12

So you get a new cert and a new key pair. In what sense is this a copy?

Hal

> -----Original Message-----
> From: Anders Rundgren [mailto:anders.rundgren@xxxxxxxxx]
> Sent: Tuesday, November 27, 2001 2:31 PM
> To: jim.essig@xxxxxxxxxxxxxxxx; raghavh@xxxxxxxxxxxxxxx
> Cc: ietf-pkix@xxxxxxx
> Subject: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12
>
>
>
>
> Raghav,
> This is how I envision that you could make a "copy" of a
> smart PKI-card
> in a secure way:
>
> Using the original smart card (with cert. + priv. key) you
> authenticate to
> the CA. Based on the login the CA *could* allow you to do a
> certificate
> request using a new "fresh" card with built-in key-gen.
>
> There are PKIX-efforts like SACRED that seems to address your
> whish but I
> think that the above is a better way to do it, as does not
> need export of private keys.
> In addition you can always trace an authentication or signing
> to a particular
> device/key-container.
>
> Regards
> Anders
>
> ----- Original Message -----
> From: <jim.essig@xxxxxxxxxxxxxxxx>
> To: <raghavh@xxxxxxxxxxxxxxx>
> Cc: <ietf-pkix@xxxxxxx>
> Sent: Tuesday, November 27, 2001 19:24
> Subject: Re: A PKI Question: PKCS11-> PKCS12
>
>
>
>
> The purpose of storing a private key in a smart card, is
> exactly that "to
> jail it". By being able to move the private key to another
> device you run
> the risk of a malicious user having a copy of your private
> key and using
> that private key to impersonate you. The reason to have a
> smart card is to
> provide a secure means to transport, store and use your
> private key for
> authentication and/or encryption. A Smart card user may have
> a legitimate
> "want" to move their key to another smart card, but this
> would circumuvent
> the point of the smart card. The purpose is not to just be able to
> transport the key, otherwise everyone would use 3.5" floppies.
>
> Hope this answered your question.
>
> -Jim
>
>
>
>
> "RAGHAVENDRAN H. (SSG) - CTD, Chennai." <raghavh@xxxxxxxxxxxxxxx>
> @mail.imc.org on 11/27/2001 11:17:19 AM
>
> Sent by: owner-ietf-pkix@xxxxxxxxxxxx
>
>
>
>
>
>
> To: ietf-pkix@xxxxxxx
> cc:
> Subject: A PKI Question: PKCS11-> PKCS12
>
>
>
> Hi List:
>
> Sorry this may be off the list, but I thought this is the
> best "PKI" place
> to ask this question :-)
>
> Myself and my friend had an discussion in which he says that
> when I put a
> private key/certificate pair into a smart card device (such
> as GPK 4000),
> it
> is impossible to read the information and create a PKCS12
> file (disk based)
> out of it.
>
> I find it mighty strange. For example, I might want to swap my
> certificate/key pair from one smart card to another and I
> might want to do
> it via the PKCS12 format.
>
> Can anybody say whether this is possible or not?
>
> Some of my friends say that it "may be" possible to export only the
> Certificate and not the private key associated with it. I
> don't see sense
> any of this argument.
>
> In fact, what is the point in jailing the private key for
> life in a single
> smart card? This argument is totally contrary to logical thinking.
>
> Pls. guys, I'd be grateful if you could answer this question.
>
> Regards,
> Raghav
>
> ----------------------------------------------------------------
> The information transmitted is intended only for the person
> or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other
> use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited.
> If you received
> this in error, please contact the sender and delete the
> material from any
> computer.
>
>

References:
- RE: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12
  - From: Hal Lockhart

Prev by Date: RE: A PKI Question: PKCS11-> PKCS12
Next by Date: RE: A PKI Question: PKCS11-> PKCS12
Previous by thread: RE: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12
Next by thread: RE: Copying smart cards. Was: A PKI Question: PKCS11-> PKCS12
Index(es):
- Date
- Thread