Thanx for this information Jean-Marc!
The smart card people are doing what they can to confuse the market. How
all these EU standards and national initiatives relate to each other is
close to a mystery. A taste of the current soup includes:
SCP - Secure Channel Protocol
PKCS #15 - Structure used by some cards
ISO-7816 - Seems to be the root of most cards
JavaCard 3 - An entirely new thing
TSM - Trusted Service Manager
FIPS201 - Used by the USG
GlobalPlatform - A private standards organization
German eCard
A gazillion CEN/3GPP/ETSI/BSI/CWA standards
Probably all this is good but it doesn't make middleware and interoperability
something that non-experts can reasonably comprehend.
To make things a bit more intriguing, I'm in the process of defining a
smart card/TPM architecture that addresses the bulk of eID applications.
Since it has a fixed API the middleware can be fixed as well.
Unlike most other efforts in this space it is designed to go with a
browser-based provisioning system allowing anybody with a compliant
CA to use it. To make it ubiquitous the very same scheme is also
intended to be a part of future mobile phones.
An architectural difference compared to current smart card schemes is
that it presumes that you have megabytes of cheap NAND flash in order
to support Microsoft Information Cards as well as a huge number user-keys.
The scheme is meant to be run as an Open Hardware project to simplify
adoption by device vendors like makers of USB mass storage sticks.
There is an "SCP" at the heart of this design but I'm unable to tell if
it does more than Global Platform's SCP but I think so since one motive
with this design is to open the keystore in such a way that you don't
need traditional smart card management and personalization software,
a web-based CA-app will do. End-user provisioning is thus a core theme
but the architecture is also fully compatible with centralized production
of ID-cards. The latter suffer from a serious recovery-from-loss-problem
that the described scheme can deal with in a novel way.
Regards
Anders Rundgren
Reasonably good engineer, lousy salesman
http://webpki.org/papers/keygen2/secure-key-store.pdf
http://keycenter.webpki.org
Jean-Marc Desperrier wrote:
Anders Rundgren wrote:
we see the start of going out of that through the European Citizen Card
(ECC) standard "CEN TS 15480"
This is something I really hate:
http://www.evs.ee/product/tabid/59/p-165216-cents-15480-22007.aspx
Paying for *open* standards!
In fact, I'm not sure I directed you to the most specifically pertinent
standard. The card interface would be the one that CEN/TC224 is
currently developing (
http://www.etsi.org/WebSite/document/Workshop/Security2006/Security2006S3_2_Helmut_Scherzer.pdf
) based on CWA 14890 which *is* easily available on-line (officially I
believe since it's not a standard, just an agreement). I, in fact mostly
know the French profile of this spec based on what is apparently a
pre-version of the CEN/TC 224 standard, you can have some view of this
on this page
http://www.soliatis.com/index.php?page=ias_ecc_test_suite&path=_
this scheme will get hard competition from a lot of places including
the token vendors who certainly do not want to become replaceable like
USB
memory sticks.
You're quite right on this point, this is certainly why there has been
until now so little progress on inter-operable smart cards.
But the same smart card vendors are also able to position themselves on
a market when they are replaceable, when that market is for tens of
millions of units like the one for EMV cards.
And this is where the bait is for this standard, the long term
perspective is to produce millions of ID/Health Care cards for governments.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
