Replacement for generateCRMFrequest ()

Mon, 01 Sep 2008 00:30:16 -0700 

The following fragment of a coming XML-based provisioning scheme shows a 
somewhat extended generateCRMFrequest () where a PIN can span from 1 to n keys. 
  The example uses a shared (synchronized) PIN for multiple keys which is 
useful when you deploy PKI and OTP.  In addition there is an issuer-specified 
PUK as well (the encrypted value is in another section not shown for brevity).  
Presumably you don't need to be an XML "guru" in order to digest the following 
lines:

    <CreateObject>
        <PUKPolicy Format="numeric" Hidden="true" RetryLimit="3" 
ValueReference="Item.1">
            <PINPolicy Format="numeric" Grouping="shared" MaxLength="8" 
MinLength="4" PatternRestrictions="three-in-a-row sequence" RetryLimit="3">
                <KeyPair ID="Key.1" KeyUsage="universal">
                    <RSA KeySize="2048"/>
                </KeyPair>
                <KeyPair ID="Key.2" KeyUsage="piggybacked-symmetric-key">
                    <RSA KeySize="1024"/>
                </KeyPair>
            </PINPolicy>
        </PUKPolicy>
    </CreateObject>


The only real snag with this scheme is that it doesn't fit smart cards, but I 
anticipate that mobile phones will take their role since the latter combine 
HW-based cryptography (already featured in high-end Nokia phones) with powerful 
processors, displays, keyboards, extensive connectivity options, and Gb storage 
capabilities.  Yes, it would of course work with an extended soft token 
provider as well!

Now to a problem regarding implementing this FireFox:  Recent versions of MSIE 
as well as Android's WebKit, have an advantage compared to Mozilla since they 
in reality offer a richer development platform due to the links to .NET and 
Java respectively.  I hope the Mozilla team some day consider adopting JSE or 
Mono as the foundation for extensibility rather than adding missing pieces like 
XML validation and security to the Mozilla core because the latter may turn out 
to be a dead-end.

The current implementation plan is to add this in parallel to Mozilla's 
security architecture in the same way as some other Open Source groups have 
added support for Information Cards to Firefox.  Unfortunately it won't be able 
to support TLS-client-cert-auth but there is a replacement for that as well 
which is more in line with Information Cards; in fact the GUI is identical.

In case you are interested in this work, just drop me a line.

Anders Rundgren
WebPKI.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to