- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Fri, 8 May 2009 07:52:31 +0200
I don't know how far you have gotten with <keygen>. You may be interested in knowing what the "competition" is doing :-) >From a provisioning point of view smart cards have a long way to go. >From the SKS paper: "even if you buy a $100 card; it still doesn't enable an on-line issuer to verify that keys were actually created in the card!" Since on-line provisioning is the norm for Information Cards, mobile device keys, etc, I have added something which I call "Air-tight Provisioning" to the USB memory stick design I'm working with. Air-tight provisioning, the basics: http://webpki.org/papers/keygen2/secure-key-store.pdf If you take a look at "Dual-use Device IDs", you will find a novel (?) use of device certificates. Air-tight provisioning, core facility: http://webpki.org/papers/keygen2/session-key-establishment--security-element-2-server.pdf The most important conclusion drawn so far is that provisioning must be an integral part of a cryptographic sub-system, otherwise it will be full with quirks, security holes, and interoperability issues. A good thing is that nothing prevents designs like the above to be used with conventional cryptographic APIs for the "execution" part of a key's life; it is "only" the provisioning and management operations that need a major overhaul. Is this standardization? Not really. After talking to literally hundreds of people, it is fairly clear that standardization takes too long time, is riddled by politics, and very often lacks real-world testing. XKMS is an example of a standard that failed on the market in spite of being supported by all he big guns. Open design, free code, and a community seems to be the most realistic way ahead. Anders Rundgren -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090508/1368489d/attachment.htm>
Received on Thursday, 7 May 2009 22:52:31 UTC