-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Want support for GP Secure Channel (SCP03) #57
Comments
Would this fall under FIPS 201 2.9.2?
This seems consistent with SP-800-85A-4:
That would seem to indicate that card management functionality could be performed over a GP channel without violating the spec, as long as the security level was sufficient. |
Reading through the comments of SP 800-73-4, https://csrc.nist.gov/CSRC/media/Publications/sp/800-73/4/archive/2015-05-29/documents/sp800_73-4_2013_draft_comments_and_dispositions.pdf , NIST seems to make it clear that card management itself is out of scope (so is fine to use SCP03 or whatever). They also make it clear that they don't want PIV operations being done over alternate mechanisms. Specifically: "Declined. While other secure messaging protocols (e.g., GlobalPlatform SCP03) may be used for CMS to PIV Card communication, only the protocol specified in SP 800-73-4, for interoperability reasons, may be used to perform non-card-management operations within the PIV Card Application." |
Since Yubico have added support for sending their admin commands over GP secure channel (SCP03) in the latest firmware, we should probably support it as well in some way, to keep feature parity.
Note that this is not the same as PIV Secure Messaging or VCI (#32)
The text was updated successfully, but these errors were encountered: