OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pkcs11-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pkcs11-comment] PKCS #11 support for U2F


On 2015-02-09 12:45, Francis Dupont wrote:
  In your previous mail you wrote:

  It seems that the thing that has got half of the industry running
  http://fidoalliance.org/membership/members/
  isn't supported by PKCS #11

=> you mean "has no direct support". IMHO support of complex (network)
protocols by PKCS #11 is at least questionable...
Anyway PKCS #11 offers all the needed low level crypto primitives
you need to implement Fido stuff.

Indeed, but not in an end-to-end security fashion because that requires
key-container-based key-attestations which a $5 U2F token can do.

Somewhat surprising this kind of thinking has not yet reached the HSM sector
which means that auto-renewal schemes like BSI's EAC builds on a model that
doesn't really work since the origin of the new key-pair cannot be securely
derived to the HSM!

Regards
Anders


Regards

Francis.Dupont@fdupont.fr




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]