[17961] in cryptography@c2.net mail archive
Qualified Certificate Request
daemon@ATHENA.MIT.EDU (Philipp =?iso-8859-1?q?G=FChring?=)
Thu Jul 21 13:54:23 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Philipp =?iso-8859-1?q?G=FChring?= <pg@futureware.at>
To: cryptography@metzdowd.com
Date: Thu, 21 Jul 2005 18:55:45 +0200
X-MDaemon-Deliver-To: cryptography@metzdowd.com
Reply-To: pg@futureware.at
Hello,
Peter Saint-Andre invited me here to present my concept of Qualified=20
Certificate Requests to you.
It is a long-term goal of CAcert to be able to provide qualified certificat=
es.
Regarding the requirements for qualified certificates, the only obstacle we=
=20
still have is the problem, that CAcert has to make sure, that the private k=
ey=20
for the certificate is generated and stored securely in a SmartCard, or=20
another Hardware Token.
Since the users should be able to issue the certificates at home, we need a=
=20
technical solution to make sure, that the private key is from within a=20
SmartCard, when we receive a certificate request.
Therefore I designed "Qualified Certificate Requests", which cryptographica=
lly=20
signs the public key in the CSR with a vendor key, to state that it comes=20
from a secure device.
Now I created a software-based reference implementation, so that the securi=
ty=20
of the system can be evaluated, and that the Token Vendors can see how to d=
o=20
it, and can do interop testing.
http://www2.futureware.at/svn/sourcerer/CAcert/QCSR/
And here is the documentation:
http://wiki.cacert.org/wiki/QualifiedCertificateRequest
Please test it, analyze it, try to break it.
Regards,
Philipp G=FChring
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
