Extending remote signer feature for platform certificate #114
Comments
|
we should be able to implement this with minimal change/addition to existing codebase. We can implement new contentsigner class which makes call to get platform certificate signed remotely. This is in SigningCli.java The pcf (instance of platformcertificatebuilder classs) pass the remote_signer directly to BouncyCastle X509AttributeCertificateBuilder). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In current design, PACCOR signs the platform certificates internally using supplied keys. Since the storage and operation with private key is security sensitive, typically an HSM or HSM services are used. There are already services that provide secure key operation.
PACCOR can benefit from allowing a trusted external signer as it would focus on generating TCG compliant platform certificate while external services protecting/operation/maintenance of keys. Since key management services are well established in the market, this can also help drive more adoption of PACCOR (and platform certificate).
The text was updated successfully, but these errors were encountered: