Protection of private keys used to digitally sign files to be downloaded
to a terminal is accomplished by storing the private keys in smartcards,
and arranging a secure processor unit embedded in the smartcard to
perform all signing operations requiring access to the keys so that the
keys never leave the card. In addition, access to the signing operations
is protected by multiple PINs, which may be distributed to multiple
individuals and/or used to establish different signing authorization
levels associated with different types of files.