- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Tue, 20 Mar 2012 12:39:39 +0100
- To: Mo McRoberts <mo.mcroberts@bbc.co.uk>
- CC: Hannes Tschofenig <hannes.tschofenig@gmx.net>, public-identity@w3.org, Harry Halpin <hhalpin@w3.org>
On 2012-03-20 11:21, Mo McRoberts wrote: > > On 20 Mar 2012, at 10:15, Anders Rundgren wrote: > >> There is to my knowledge no SDO who have taken on secure key storage and >> provisioning. In TCG (which I'm a member of), secure key storage is on >> the menu but the provisioning has been left to vendors to cater for. > > *Tangentially related*, I blogged a little bit about secure provisioning the other day: > > http://nevali.net/post/19391532575/provisioning-keys-and-provenance *Highly related* I would say. > > (if memory serves we've talked around this list in the past — so to be clear, I'm not claiming to have invented anything, just written it up) > > As with everything, I'm sure there's a terribly good reason why somebody or other wouldn't want to implement such a thing. According to a US government official I met in Washington DC, there is a reason why provisioning is not a part of the US PIV smart card standard and that spells "hardware vendor". This has severely dwarfed the PIV as a standard for other parties and in the end everybody lost. I actually tried to purchase security hardware from a couple of vendors but then I had to specify how many 10K (!) units I needed as well as signing NDAs. I would also not be able to publish the code. Case closed, or as I found out later: Open Security Hardware is nowadays a viable alternative. Anyway, bridging the gap from crypto hardware to the browser is actually not a simple task. Here is my take on the subject: http://openkeystore.googlecode.com/svn/trunk/resources/docs/Efficient-Provisioning-of-Complex-Structures-Over-Unsecured-Channels.pdf Anders > > M. >
Received on Tuesday, 20 March 2012 11:40:21 UTC