Global ASK (App Signature Key) Grant

[ramhee98]

It would be beneficial to have the option to grant an ASK globally in every exam.

The global ASK (App Signature Key) Grants could be listed on a separate page and managed in the same way as the "Security Key Grants" in each Exam.

Optionally, it could be selectable for each exam if the global ASK Grants are accepted too. And there could be a button on each exam to "Add Global Security Grant" below the "Add Security Grant" which only grants the ASK for the specific Exam.

[anhefti]

We have discussed this issue internally and unfortunately it is not possible to have global ASK grants because of internal security architecture of the ASK.

The ASK is generated by SEB client with a salt from SEB Server and this salt is different for each SEB Server exam. This means, even if the SEB client is the same, the ASK hash is different for each Exam in SEB Server. Even SEB Server does not know the actual ASK value, but only the computed hash of the ASK that is different per Exam and can be granted per Exam or the heuristic threshold can be used, if one do not want to make the Grants manually every time.

This is as designed and for security reasons to prevent sharing/leaking ASK hashes.