Anders Rundgren wrote:
The truth is no one as asked or required that, though by default mozilla will set a pin whenever the underlying softoken database is Initialized."Eddy Nigg" wrote:The keygen tag is used widely and Mozilla supports smart cards with the associated PIN excellent.I'm sure about that! However... What I was referring to is the inability for an issuer specifying that generated keys should be PIN-protected and what constraints there should be on the PIN while still optionally letting the user specify the actual PIN.
In general we have been reluctant to add attributes to either keygen or the crypto.crmf() interface that gives requirements that either 1) the browser verify enforcement, or 2) that the server can't verify enforcement. That is usually things like 'only generate this key on a hardware token'. In the latter case, the server cannot guarantee that the key is generated in some hardware token because 1) the browser can lie to it (expecially easy with an open source product like mozilla), and 2) even a normal mozilla browser can be fooled by a PKCS #11 module that lies to it.
Your case, however seem to be more of a 'policy hint'. A "please put this key only in a PIN-protected token". That case is more reasonable because the server doesn't have to depend on the browser telling the truth. You are only trying to protect the naive user (who is unlikely to build his own modifed browser) After all, the sophisticated user can easily extract the key later and insert it in a non-PIN-protected token (or even remove the PIN protection after the key is imported).
If this is indeed what you want, I suggest you file an rfe. Attaching a patch to that rfe might actually help it along as well...
bob
In addition there is no way you can see that the private key is ingenerated and stored in a smart card and not in the "soft token", at least not what I'm aware of.This is a part of what I'm working with. Anders _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
