On Tue, Mar 17, 2009 at 4:40 PM, Eddy Nigg <eddy_n...@startcom.org> wrote: > I agree that there needs to be some fixing. I think you, Anders and > Johnathan presented some very interesting ideas. Being able to carry the > certs around including a policy profile in a piece of software is > interesting too. It would solve me a lot of problems actually.
The 'policy profile' is actually more a thing related to hardware -- if the hardware manufacturer signs the device key, the device cert can prove (to some predetermined extent) that it understood the profile, and implemented it. > On the other hand there are smart cards which do that excellent, is buying > one such a hard thing to do? They do exactly what we all want. I have them > deployed here everywhere, but I agree that I'm not representative in this > respect. And it doesn't require a lot of geek knowledge, but the most > difficult part is still configuring the right module with NSS - this isn't > something Mom and Pap can do :-( The problem isn't smart cards, it's the lack of smart card readers, the lack of a USB standard profile for smart-card-like devices, and the tiny amount of memory available on those things. One of the ways that the current Firefox interface for certificates fails the user is that it doesn't allow the user to group related certificates together. It presents all possible certificates in one single list, and I'm not sure it even supports sorting the list... and atop this, the certificate details are too wide for the window they show up in. Another way that Firefox fails the user is that there's no way to have it auto-detect a new 'smart card' device, it must be configured manually in secmod. -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
