Versions Compared

Version Old Version 77 New Version 78
Changes made by

Paul Zachos

Paul Zachos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid for Smart ID Identity Manager 24.R1 or later.

...

  • encryptedFields: Encryption and decryption of fields in the Identity Manager database

  • objectHistorySignerconfigZipEncrypter: Signing and verification Encryption of the object historyconfiguration files

  • configZipSigner: Signing and validation of the configuration filesconfigZipEncrypter

  • objectHistorySigner: Encryption Signing and verification of the configuration filesobject history

  • signEmailDescriptor: Signing of emails

  • hermodDeviceEnc: Creation of device encryption certificates that are used in Smart ID messaging

  • SelfServiceJWTSigner: Authentication of Smart ID Self-Service users to the Identity Manager backend

  • ContentProviderJWSSigner: Creation of JWS signatures used for Smart ID messaging content provider APISelfServiceJWTSigner: Authentication of Smart ID Self-Service users to the Identity Manager backend

  • idopteAuthentication: Initial handshake with Idopte client-side middleware

  • insideClientAuth: Authentication to the IN Groupe Inside Server

  • att_*: Attestation for provisioning to Smart ID Mobile / Desktop Apps

  • (arbitrary name): Decryption of PIN blobs from pre-personalized smart-cards created with the Personal Desktop Client

...

  • use-case: authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)

  • configured in this application:

    • Identity Manager Operator

  • general requirements:

    • descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required

    • PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly

  • algorithm attribute not used

    •  (we only use certificate and private key from the descriptor)

  • versioning: not needed

  • storage: pkcs12

  • key requirements:

    • supported types:

      • RSA 2048

      • RSA 3072

      • RSA 4096 (recommended)

  • certificate requirements:

    • validity DOES matter, connection to Inside server will fail when expired

    • unsure if self-signed certs would work (recommend to use CA) Maybe remove “unsure“ from public documentation

    • must be trusted by Inside server

    • key usage: digitalSignature

...