Re: PKCS#11 forwarding driver?

Timothy J. Miller a écrit :
> There is no getting around the enrollment trust
problem.  Most
> sensible smartcard and PKI deployments handle this via
an enrollment
> ceremony that involves a face-to-face component.
As for enrollment trust problem, IMHO, using the secure
channel is good
alternative to the face-to-face .
>From the technical point of view, a distant enrollment
with secure
channel can be more secure
then face-to-face enrollment without secure channel .

Regards,
Viktor.



>
> -- TIm
>
> On Jul 2, 2007, at 1:59 PM, Alon Bar-Lev wrote:
>
>> On 7/2/07, Jim Rees <reesumich.edu> wrote:
>>> We do something like this to translate kerberos
tickets into
>>> cert/key usable
>>> from pkcs11.  But it only makes sense if you
have some way to
>>> convince the
>>> CA that it should sign the keypair and issue a
cert.  In our case
>>> that's
>>> kerberos.  Otherwise, how can anyone trust the
cert?
>>
>> But Kerberos is weaker than PKI in term of
authentication.
>> You can use PKI in order to authenticate to
Kerberos.
>> So you have static certificate for user and dynamic
authorization
>> using kerberos.
>>
>> Alon.
>> _______________________________________________
>> opensc-devel mailing list
>> opensc-devellists.opensc-project.org
>> http://www.opensc-project.org/mailman/listinfo/opensc
-devel
>
>
------------------------------------------------------------
------------
>
> _______________________________________________
> opensc-devel mailing list
> opensc-devellists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc
-devel

_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel