[Authentication] A related Key-Ring project
anders.rundgren at telia.com
Fri Jul 10 23:22:08 PDT 2009
The following should not [at all] be considered as a competitor but as
an effort that (if successful...) could be possible to merge with or "borrow"
from and vice versa.
I have since 1998 been obsessed with using mobile phones as a smart card
replacements as well as enabling secure mobile services using the same key(s).
Why smart cards? In the EU banks, and e-governments are (unlike their
US counterparts), heavy into using "tokens" for consumer/citizen authentication.
The things that differ most with using a mobile phone for emulating a bunch
of virtual smart cards compared to discrete smart cards can be summarized as:
- Shared container versus separate containers
- On-line versus physical distribution
The shared container means that there must be some way to manage keys
for an issuer without disrupting other issuers' keys. Anti-IPR paper:
The on-line paradigm is the thing that causes most problems because
an issuer needs to know in *what* they are deploying keys to:
How does this relate to PKCS #11?
For key "execution" the scheme should be compatible with any API out there
For on-line key "provisioning" and "management" I'm working with on a completely
new API. The point with this is that most PKI-using apps will work as before,
while the on-line operations can be made to function as good as is possible.
On http://keycenter.webpki.org you will find an emulator that at the time of
writing does not match the documents just mentioned but if you try it, gives
you an idea of what the goal is.
I have recently found that this stuff also could be of use in enhanced USB
memory sticks and therefore I plan to start an Open Hardware project
to make the key-container useful on PCs as well. Currently based on:
[Planned] feature-set at a glance:
- Double-use as a regular USB 2.0 mass memory stick
- 4 MB of key-space
- PKI, OTP, and InfoCards
- Issuer-specific PINs, PUKs, and policies
- Universal credential provisioning and management protocol
- Issuer-separated credential-management through proof-of-issuance signatures
- "Air-tight provisioning" through device attestations
I don't know if I have the power to do all this though; it's not my day-job :-(
More information about the Authentication