Re: root certs on smart cards

Justin Karneges wrote:
> Hi folks,
>
> I'm just now looking into smart card programming.  I wondered, is it possible 
> or would it even make sense to have root certs stored on a smart card?

it's certainly possible but whether it makes sense depends on your
scenario (can you trust the cert from the card, and as smartcards
are very slow: do you actually want to read it from the card if
possible).

>  I ask 
> because if I'm validating a certificate I wonder if my app should try to read 
> some roots off of an inserted smart card, to use for validation (either in 
> place of, or in addition to, the usual roots on the host system).  Note that 

the systems validating the smartcard must know who it can trust, but I would
normally use own copies root certificates for the validating system

> I'm not talking about secondary issuers, as I know those can be on a smart 
> card.
>
> As I understand it, smart cards are basically containers for data structures 
> that can perform algorithms on the types they know about.

this describtion matchs every computer so it's true

> It might be that 
> any x.509 question is beyond the scope of what smart cards actually do, and 
> so instead I'm supposed to follow some unwritten "best practices".  Any 
> websites about this would be great.

if you are unsure you might consider following the designs of some other
big id card project (Belgian, Italian, Spanish (ceres) and Estonian Id
card projects (sorry no link at hand, ask google)) but as I don't know
what you want to do I'm not sure if this really helps.

Cheers,
Nils