OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: (mis)Use of HSMs in the EU Passport system

In the EU biometrics are put into passport chips.  The biometrics are protected by a pretty complex PKI scheme.

Now to interesting part...
Since the passports are the actual RPs, CRLs and OCSP couldn't be used so instead short-lived access control certificates are issued from the mentioned PKI.
To make this realistic, sub CAs are automatically renewed.
Since the system is considered as "critical" the sub CA keys must be stored in HSMs.

However, neither the certification protocol nor the HSMs support attestations which means that after the initial key you have no guarantees that the following keys actually reside in the HSM!

That is, auto-renewals are outside of the current HSM concept and IMO that's a serious omission.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]