On Sat, Apr 18, 2009 at 11:04 AM, Nelson B Bolyard <nel...@bolyard.me> wrote: > Martin, please tell us about your uses of smart cards.
Personally I use different smart cards for different purposes but I assume you're more interested in usages related to an average user. > Some info I'd like to know include: > - what kind of entity issued your smart card? government, Estonian eID > Do you and your wife have cards from the same issuers? or different? > If different, what kind of entity issued her card? Same > How long have you had your cards? Me - Since 2003 when they were introduced (I have changed cards and updated certificates of course, I think my current card is my 3rd or fourth, and I've re-generated my keys and certificates on two cards. You can only do it once during the lifetime of the card.) My wife - since 2005 I guess. > How many different sites do your cards work with? > 1? 2? 5? 10? etc? Many Estonian websites use it (banking, taxes, self-services of commodity service providers (telco, electricity etc), e-voting, e-school, e-government portal ...) I guess the number might be around 50..100 "heavy-weight" (public service) websites these days. As in real life SSL does not fulfill all the promises of password-less web (I can't use my client certificates on websites which have not been configured for it, so on 99.999% of SSL enabled websites can not use my card), openid.ee OpenID provider allows me to use my card for authentication on any OpenID enabled website in the world. Those do not count as SSL-enabled sites, but there are thousands of them out there. > How many times a week do you actually use your card for authenticating > to a web site? I'm a heavyweight user so I use it almost daily. My wife uses it it maybe a few times a month, when she needs to do some banking or related activities (which she does not do usually). Estonia is the forerunner in internet banking and 80% of users log into their bank at least once a week. Not all of them use eID cards for authentication, but people using eID still count in tens of thousands (<200k though). Those who use eID for online authentication I believe use it a few times a week. > Do you also use your card for other purposes, such as signed email? Sure, electronic signatures (in XAdES format). Almost all contracts I sign as a private person or for my company are in the form of a PDF and digital signatures (not PDF signatures, but PDF signatures in XAdES envelopes). Documents are forwarded in e-mail but not in S/MIME, which has no practical use in Estonia other than e-mail encryption for transport. S/MIME signatures do not count as legally binding signatures. Also bank transactions are signed (There are two certificates and two PIN codes on the card, one for authentication and one for non-repudiation/digital signatures) There was a huge mess about two years ago when FF tried to use non-repudiation keys without SSL client certificate extensions for SSL client authentication. The workaround is still in use these days - a special PKCS#11 module for Firefox which only exposes the authentication certificate. This is because FF still tries to use the certificate where the key has non-repudiation KU and no EKU for SSL client authentication from the same CA even if there is a certificate with client authentication EKU. So even if Apple is bad, there's a bad apple in FF garden as well :) In the end I gave up the fight in Bugzilla as there was no consensus on how the client should behave and what is a "vendor glitch" and what is not... -- Martin Paljak mar...@paljak.pri.ee http://martin.paljak.pri.ee GSM:+3725156495 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
