7.1 GlobalPlatform keys
Note: Your card vendor will provide you with the factory GlobalPlatform keys that enable MyID to work with your cards.
GlobalPlatform Keys and related specifications and protocols are defined in the GlobalPlatform Card Specification available at www.globalplatform.org.
At manufacture time, the card is given a key set as defined by SCP1/SCP2/SCP03 (Secure Channel Protocol).
For MyID to communicate with the card using SCP, it has to know the key set. You need the GlobalPlatform keys to:
- Add or remove applets on the card.
- Perform device specific prepersonalization (for example, loading PKI applets onto a card during issuance).
- Change the 9B key on some PIV cards (for example, Oberthur PIV cards).
- Change the GlobalPlatform Keys to customer keys.
Note: These keys may be known by third parties and, unless you are just evaluating or testing MyID, you should enter a set of keys specific to your own organization (customer keys).
It is also possible that the card manufacturer has agreed to provide cards with a more secure diversified keyset. In this case, you will need to use the Key Ceremony option in the Manage GlobalPlatform Keys workflow to import the factory master key securely.
When you issue a card through MyID, the factory keys are used to authenticate to the card in order to manage
If a customer key has been entered into MyID the factory keys on the smart card are then replaced by your own customer keys when the card is issued, which secure the card.
Canceling a card removes your customer keys and reinstates the factory keys: this enables the card to be re-used with this or another installation of MyID. Because the customer keys are specific to the installation of MyID in which they were stored, cards issued using customer keys cannot be canceled using another system.
Warning: You must cancel any cards issued using customer GlobalPlatform keys before you uninstall MyID or you will not be able to use the cards again.