7.1 GlobalPlatform keys

Note: Your card vendor will provide you with the factory GlobalPlatform keys that enable MyID to work with your cards.

GlobalPlatform Keys and related specifications and protocols are defined in the GlobalPlatform Card Specification available at http://www.globalplatform.org/.

At manufacture time, the card is given a key set as defined by SCP1/SCP2/SCP03 (Secure Channel Protocol).

For MyID to communicate with the card using SCP, it has to know the key set. You need the GlobalPlatform keys to:

Note: These keys may be known by third parties and, unless you are just evaluating or testing MyID, you should enter a set of keys specific to your own organization (customer keys).

It is also possible that the card manufacturer has agreed to provide cards with a more secure diversified keyset. In this case, you will need to use the Key Ceremony option in the Manage GlobalPlatform Keys workflow to import the factory master key securely.

When you issue a card through MyID, the factory keys are used to authenticate to the card in order to manage applets on the card. You can issue a Java card through MyID without having entered the factory keys if no applet operations are required (for example, if you are working with certificates and the PKI applets are already installed).

If a customer key has been entered into MyID the factory keys on the smart card are then replaced by your own customer keys when the card is issued, which secure the card.

Canceling a card removes your customer keys and reinstates the factory keys: this enables the card to be re-used with this or another installation of MyID. Because the customer keys are specific to the installation of MyID in which they were stored, cards issued using customer keys cannot be canceled using another system.

Warning: You must cancel any cards issued using customer GlobalPlatform keys before you uninstall MyID or you will not be able to use the cards again.