"Vainikainen Saku EINT" <Saku(_dot_)Vainikainen(_at_)elisa(_dot_)fi> writes:
Yes, but then we need to store encryption key and certificate chains. Our
smartcard has only limited space available, so we would need to recover the
old encryption keys and certificates to PKCS#12 files or other software
But why do you need to store all this cruft? If it's a legacy/superseded
decryption key, all you need is the private-key components for decryption
(usually stored in a highly compact card-specific format) and the
issuerAndSerialNumberHash so you can locate it (in fact for any decryption
key, even a currently active one, you don't actually need to store the cert).
The overhead for the non- private-key components would probably be 50-100
bytes, depending on how much other stuff your PKCS #15 implementation stores
alongside it. So your card contains the current decryption key and its cert,
and one (or possibly more, although you probably need to ask why the user is
losing that many keys) decryption keys and the index info needed to find them.
The indexing overhead for half a dozen decryption keys is going to be less
than that for a single certificate.