Integrating n-of-m threshold scheme
andreas.schwier.ml at cardcontact.de
Mon Sep 7 20:39:22 CEST 2015
> What are the use cases you have in mind?
The feature was actually developed based on a customer request. It will
be used for 3 different use cases
1. Protect access to CA signing keys
In the CA procedure the CA key store may only be activated by two key
custodians acting together. Because key custodians have different times
on duty, a group of 6 persons are authorized and two must act together
to enable CA keys.
2. Key escrow
User documents are encrypted for a private key controlled by the
document owner. If the document owner can no longer take control, a
group of people come together to enable access to the escrow key, for
which a copy of each document is encrypted. In the scheme 5 out of 10
key custodians must work together.
3. Shared control SSH access
There exists a dedicated and quite expensive hardware box that allows to
share control for important SSH keys. Using a SmartCard-HSM to store the
SSH key and the a n-of-m scheme allows a less costly alternative using
Of course there are more applications, like safeguarding code signing
keys for example. The other application is remote activation where the
SmartCard-HSM connects to an authentication server for activation.
For the PKCS#11 interface we are looking to use the remote management
interface available in the ScriptingServer of the OpenSCDP project. That
is basically a HTTP protocol (RAMoverHTTP from Global Platform) that
connects the SmartCard-HSM via the P11 module with a remote server.
Purpose of the server is to manage the authentication protocol, i.e.
provide a website to the key custodian and support the authentication
protocol for both sides, the SmartCard-HSM performing the n-of-m scheme
and the device with the private authentication key.
Sounds to me like the remote APDU feature is similar. Where would I find
the code ?
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 571 56149
More information about the Gnupg-devel