Define two Administrator with different privileges on smart cards

0
votes

Assume a situation in which that you want to distribute a card between two different companies (Let named them Company-A and Company-B). These companies must be able to install or delete their Applets on the card, but they should not be able to delete the Applet of the other company.

I think there is two solution :

  1. Define two Key Sets in the ISD (named KS1 and KS2), and define their related privilege for each Key Set in a way to obtain the described conditions.Then give KS1 to Company-A and KS2 to Company-B.
  2. Adding different Security Domain(Named SD1 and SD2) and give the keys of SD1(Can it be the ISD?) to Company-A and the keys of SD2 to Company-B.

Q1: Which one of above solutions is true? Is there any other solution? if so, how to do it? [In this step, answer of the second part is optional! ;) ]

Q2: Using the correct solution, can them see the AID of the other company's Applets in the output of list contents command?

1
smartcardjavacardglobalplatform

1 Answers

2
votes

Q1: Every security domain has the right to delete any associated applets during any time, therefore solution 1 does not work.

Solution 2 is the right one. Read more in the Global Platform specification abaout Supplementary Security Domain (SSD)

Q2: To my knowledge it is not possible to hide any applets and I think there was a similar question in this forum already concerning this topic