On Mon, April 11, 2016 4:00 pm, Peter Gutmann wrote:
Derek Atkins <derek(_at_)ihtfp(_dot_)com> writes:
On Mon, April 11, 2016 3:42 pm, Peter Gutmann wrote:
Derek Atkins <derek(_at_)ihtfp(_dot_)com> writes:
More specifically: when you have your card generate your key material,
you
pull off the public key and then generate your public key, compute your
fingerprint data (including OpenPGP metadata), and also create secring
data
that contains whatever PKCS#11 reference data you need to re-access
that key.
Later when you use that card/key you know how to reference it.
Where do you store all this stuff? PKCS #11 doesn't provide a means of
storing it, you can search by something like the public key or
issuerAndSerialNumber, but not by hash-of-the-public-key-and-nonce.
Like I said, you put it into your secring.skr file.
But you can't store a secring.skr file on a PKCS #11 device. Or are you
expecting the user to carry around a smart card and a separate USB key
with
all the stuff that can't be stored on the smart card, with an app that
knows
how to combine all the bits and pieces together to make use of it?
Okay, now I feel like we're going around in circles. In my VERY FIRST
message I asked whether you are expecting the user to make a signature on
a system that has never used or seen their key material before?
By your lack of answer to that very specific question I went ahead with a
workable architecture where, yes, there are data files that need to be
carried along with the smartcard. The smartcard is the "protected" data,
but there are other data that need to be carried along, too.
Maybe this isn't as "pure" as using PKCS#11 for X509. But it certainly is
a workable (and working) solution.
Peter.
-derek
--
Derek Atkins 617-623-3745
derek(_at_)ihtfp(_dot_)com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp