Send in your ideas. Deadline December 1st, 2020.


Remote PKCS#11

[Remote PKCS#11]

Setting up an encrypted connection across the internet requires establishing trust between the two endpoints. There are multiple ways, one of which is the use of asymetric keys. However, in many cases there will not be a suitable hardware crypto device available - and storing crypto credentials in userspace on lots of insecure devices (such as mobile phones) is quite risky. Managing and auditing usage of those credentials in such a case is a problem. The project entails two innovative ideas to isolate and organise credentials: "Hosted PKCS#11" which allow users to use a trusted remote crypto store instead of a local store (which is of course much easier to audit, assuming that the back end system on which the keys are stored is professionally managed by someone trustworthy), and "Layered PKCS #11" which can downgrade or upgrade identities to roles, groups and other attributes of a user (such as "age").

"Remote PKCS#11" is supported by NLnet and Internet Hardening Fund.