Anders Rundgren wrote: >>>>> Q: How can an issuer know that the end-user is actually using a smart >>>>> card? >>>>> A: It cannot, smart cards were never designed for "open" on-line >>>>> provision. > >>>> It all depends on the smartcard software and how it interacts with the >>>> enrollment software. > >>> And if we stick to the initial subject, i.e. <keygen>? > >> For Mozilla prodcuts it depends how well the PKCS#11 module for a >> certain smartcard is implemented. When looking at the OpenSC mailing >> list much of the issues are with different smartcard file system >> layouts. But that's a level below <keygen>. > > Maybe you could enlighten us a bit on how an issuer using <keygen> > (which in Mozilla's implementation means connecting to a PKCS #11 driver), > in some way can be assured that the user really is using a smart card rather > than a file-based key-store?
Oh, come on! I know it's currently not possible. And in opposite to you IMO it's more the user's interest to use a secure key store. Furthermore I don't see a reason why there can't be an additional HTML attribute for <keygen> which lists the names of acceptable PKCS#11 and/or CAPI key stores. I'd vote against an abstract "smartcard bit" or "HSM bit" anyway. If a CA wants to make a provision about which key store to use it should explicitly specify acceptable key stores by name. Because these names e.g. registered with IANA can be explicitly written into a CPS. Ciao, Michael. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
