>> Maybe you could enlighten us a bit on how an issuer using <keygen> >> (which in Mozilla's implementation means connecting to a PKCS #11 driver), >> in some way can be assured that the user really is using a smart card rather >> than a file-based key-store?
>Oh, come on! I know it's currently not possible. Good. We agree on one thing at least :-) >And in opposite to you IMO it's more the user's interest to use a secure >key store. So you mean that banks and governments run their eID/PIV programs because their customers and citizens have asked for it? >Furthermore I don't see a reason why there can't be an additional HTML >attribute for <keygen> which lists the names of acceptable PKCS#11 >and/or CAPI key stores. You mean that issuers must know the name of their client's cryptographic drivers? You mean that consumers should understand this? You mean that issuers in spite of having a "standard-to-be" method like <keygen> *still* must know if client's are on msie, firefox, mac etc? > I'd vote against an abstract "smartcard bit" or "HSM bit" anyway. Me too since this thing is not resistant to malware and thus is no guarantee. >If a CA wants to make a provision about which key >store to use it should explicitly specify acceptable key stores by name. >Because these names e.g. registered with IANA can be explicitly written >into a CPS. "Microsoft Enhanced Cryptographic Service Provider" is registered by IANA? Don't take it personal, but browser-PKI is totally lame. It is a 15-year old Netscape "hack" that is since long overdue. Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
