Michael Ströder wrote:
Let me comment on a few things. We do not disagree with all but we look from
different angles.
>But crypto tokens are not suitable for S/MIME encryption keys because of
>the growing key history needed. So one has to distinguish PKI-enabled
>applications.
Authentication over the web is the killer PKI app and therefore I'm less
worried about S/MIME. LDAP (your primary work space?) is a core IT technology,
S/MIME is not.
>> PKI in such a setup is just another kind of password.
>Hmm, here I disagree since a password, even when used like in Kerberos,
>leaves the user's system (directly or as shared secret) whereas a
>private key used for signing something during authentication never
>leaves the key store of the client's system.
I did not really meant on a technical level but as a domain-restricted use-case.
>> So what is then real problem?
>> 1. The European Smart Card industry who do not want to become suppliers
>> of commodities.
>???
>Each time I talked to smartcard vendors they were keen on selling their
>stuff. The more the better.
You mean there is a standard blank smartcard that you can buy from multiple
vendors that works right-out-of-the-box in most computer systems? Using what
kind of standard personalization software?
>> To achieve that we need a whole bunch of enablement technologies.
>> Most of the PKIX enrollment stuff will be obsolete in 5-10 years from
>> now
>I'd never trust a system where the mobile phone vendor initializes a key
>to avoid an enrollment process. If you really plan to establish such a
>system be assured that I will fight against this.
The idea is rather than the phone vendor provides an Open Key Container which
is initialized by a certified device key which is used for key attestations:
http://tinyurl.com/6rg7ap
Some other people working in the same space:
http://research.nokia.com/files/NRCTR2008007.pdf
Anders
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
