On 03.07.2009, at 8:15, Anders Rundgren wrote:
According to most people who are into consumer PKI, Java applets is
the
best solution for cross-browser PKI. I think Java applets suck but
indeed,
that's really all we got.
but please don't take it out on us. Please refrain from further
sniping
in this mailing list and newsgroup. Constructive contributions are
welcome.
Some constructive suggestions; mostly for Firefox:
1. Use platform API-s where appropriate: cryptoapi (and basecsp via
this) on windows; cdsa/keychain on macosx. Yell at both companies at
the same time to fix their API-s as well (pinpad support, multiple PIN
support, GUI hints (PIN vs password) etc). IIRC http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/capi/
was the thing that should enable this, it dates back to 2005, why
this has not been polished and included with latest releases? Linux is
the spaghetti mix where PKCS#11 indeed might be the best option, but
once the big desktop players (KDE, GNOME) (re-)implement the relevant
(bicycle/)API-s, there might be QCA (http://api.kde.org/kdesupport-api/kdesupport-apidocs/qca/html/
) and something similar for GNOME as well. Should they be below NSS or
above it in the software stack? Hard to say.
FYI, to make sense to users of eID cards currently one has to embed
the word PIN into the token description as well, so that the prompt
that Firefox displays would make sense: "Please enter password for:
MARTIN PALJAK (PIN1)" GUI hints would be useful...
2. Fix Firefox/NSS - Firefox still thinks that you should be able to
authenticate to websites with certificates *without* TLS client
authentication extension. Add automatic certificate selection, and you
get trouble.
2a. I don't know if the defaults have changed lately, but allow the
end user to define the "friendly certs" option for PKCS#11 tokens,
which currently has no UI except the Javascript loading function which
got removed from UI land and moved to XPI land in FF 3.5. There are
tokens that require this feature, but some PKCS#11 providers like
OpenSC which support many different tokens have no easy way to work in
both ways.
3. For Firefox only: provide a useful JS interface to allow access to
keys which are not used for web authentication but present under "my
certificates" for real-life online signing procedures. I know that
here the vision of a polished solution differs between people but I
also second Anders that there are many (tens?) custom built modules
here in EU which re-implement at least the minimal part: signing a
hash. GUI requirements (like displaying the title of a document,
displaying a legal warning, displaying the whole document to be
signed) could be worked upon in a common way once the basics are
agreed upon to be useful.
For now, I think the reason why there is so little interest for this
field is that it is really hard to market such features. The reason
why Apple has very low prirorities for smart card related fixes is
that it is really hard for Steve to demo this on the big stage. Same
goes with Firefox. And "those who really want it, can in theory
achieve their goals with extras and extensions" works as well.
--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
