Remote PKCS#11
Remote usage of PKCS#11
Setting up an encrypted connection across the internet requires establishing trust between the two endpoints. There are multiple ways, one of which is the use of asymetric keys. However, in many cases there will not be a suitable hardware crypto device available - and storing crypto credentials in userspace on lots of insecure devices (such as mobile phones) is quite risky. Managing and auditing usage of those credentials in such a case is a problem. The project entails two innovative ideas to isolate and organise credentials: "Hosted PKCS#11" which allow users to use a trusted remote crypto store instead of a local store (which is of course much easier to audit, assuming that the back end system on which the keys are stored is professionally managed by someone trustworthy), and "Layered PKCS #11" which can downgrade or upgrade identities to roles, groups and other attributes of a user (such as "age").
- The project's own website: https://github.com/vanrein/quick-der/blob/master/arpa2/RemotePKCS11.asn1
This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy.