Versions Compared

Version Old Version 78 New Version 79
Changes made by

Paul Zachos

Paul Zachos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid for Smart ID Identity Manager 24.R1 or later.

...

  • use case: signing content for Visual ID provisioning to Smart ID Mobile App

  • configured in this application:

  • storage: pkcs12, HSM (recommended)

  • versioning: possible, but unnecessary

  • general requirements:

    • placeholder allowed only if Visual ID is not used

      • if the certificate configured here is not trusted by the end-user (mobile-) device, then Visual ID provisioning will fail

      • forgery of Visual ID possible if placeholder key is used and also trusted by the end-user device

  • key requirements:

    • supported types:

      • RSA 2048

      • RSA 3072

      • RSA 4096 (recommended)

  • certificate requirements:

    • must not be self-signed!

    • key usage is not checked (recommended for informational purposes: set digitalSignature)

    • issuing CA cert must to be trusted by the app onto which to provision Visual IDs

    • validity: at your discretion (make sure you do not forget to renew before the expiry date!), validity is checked on the SDK side

  • versioning not needed (always uses the default (i.e. highest) version)

...

  • use-case: authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)

  • configured in this application:

    • Identity Manager Operator

  • general requirements:

    • descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required

    • PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly

  • algorithm attribute not used

    •  (we only use certificate and private key from the descriptor)

  • versioning: not needed

  • storage: pkcs12

  • key requirements:

    • supported types:

      • RSA 2048

      • RSA 3072

      • RSA 4096 (recommended)

  • certificate requirements:

    • validity DOES matter, connection to Inside server will fail when expired

    • unsure if self-signed certs would work (recommend to use CA) Maybe remove “unsure“ from public documentation

    • must be trusted by Inside server

    • key usage: digitalSignature

...