Just to make it sure what *I* mean with smart card support: It does not mean supporting something that is packaged in a card-like container or in a USB stick, but a cryptographic mechanism that protects keys from direct external access through software or through other means (within reason).
For an issuer it is important to know that keys are in such storage and AFAIK the only way that can be assured in a reasonable way is that the container itself contains a private key and certificate which is used for attest-signing generated keys. If the entire request must be done HW is a matter of policy which KeyGen2 is mum about. Current "real" smart cards do not generally support embedded attest keys but TPMs may do. That is, if the issuer doesn't recognize the container it will most likely abort the rest of the process. Here is a "smart card" of my choice: http://webpki.org/papers/keygen2/keygen-gui-detail-1.html The above shows the typical viewable result after running 3 of the 6 protocol steps (plus user-authentication which can be arranged in any "webbish" way). A "soft token" of the future may look something like the following: http://webpki.org/papers/keygen2/sql-databases-as-universal-keystores.pdf Then the ability to specify PIN policies by an issuer is nice to have: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/29dc5d1571421f95 Upgrading existing Mozilla schemes to this level is maybe doable but I won't try it. Naturally this is not an easy match, it will take years to accomplish and it may fail [hard] as well :-( Anders _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
