[pkix] EST-02 and PIN-codes
Anders Rundgren <anders.rundgren@telia.com> Sat, 27 August 2011 06:48 UTC
Return-Path: <anders.rundgren@telia.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2734721F8AAA for <pkix@ietfa.amsl.com>; Fri, 26 Aug 2011 23:48:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPAWA4ePw5YH for <pkix@ietfa.amsl.com>; Fri, 26 Aug 2011 23:48:27 -0700 (PDT)
Received: from smtp-out11.han.skanova.net (smtp-out11.han.skanova.net [195.67.226.200]) by ietfa.amsl.com (Postfix) with ESMTP id 4753D21F8A67 for <pkix@ietf.org>; Fri, 26 Aug 2011 23:48:26 -0700 (PDT)
Received: from [192.168.0.200] (81.232.44.37) by smtp-out11.han.skanova.net (8.5.133) (authenticated as u36408181) id 4E305E970098F1EF for pkix@ietf.org; Sat, 27 Aug 2011 08:49:43 +0200
Message-ID: <4E589383.7050309@telia.com>
Date: Sat, 27 Aug 2011 08:49:39 +0200
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.20) Gecko/20110804 Thunderbird/3.1.12
MIME-Version: 1.0
To: "pkix@ietf.org" <pkix@ietf.org>
X-Enigmail-Version: 1.1.1
Content-Type: multipart/alternative; boundary="------------050506070706060004020304"
Subject: [pkix] EST-02 and PIN-codes
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Aug 2011 06:48:28 -0000
It has been mentioned in various list and off-list communication that associating an issuer-defined PIN-code to a deployed key in a token could be achieved by for example adding an attribute to the certificate response. However, this requires that the token runs in "Administrator Mode" which it does in traditional CMSes (Card Management Systems). I maintain that performing token provisioning using a [future] standard browser in a /secure/, /scalable /and /user-friendly/ way is /_infeasible_/ based on current token technology since the latter was neither designed to support end-user provisioning nor dealing with independent issuers. In the SKS token, the administrator role is virtualized per issuer and doesn't require the middleware impersonating a token administrator. The user's ability to change PINs etc is /unilaterally/ determined by each issuer's unique policy. AFAICT, this assumes a full-blown E2ES (End To End Security) model. The user's administrative capability is essentially limited to key delete operations and granting an issuer the right creating a key. Anders
- [pkix] EST-02 and PIN-codes Anders Rundgren