On 15 Jul., 16:12, Jean-Marc Desperrier <jmd...@alussinan.org> wrote: > Udo Puetz wrote: > > I've recently written about a windows firefox hardware token problem > > (see list) and didn't get a solution before the discussion drifted off > > into universalities. Problem not solved, customer unhappy and us too. > > It's easy for discussiosn in a list such as this one to drif off, but it > seems you failed to notice that Nelson had listed you in his message > from the 04/07/2009 at 07:28 a list of actions that were required in > order to investigate further on what was going wrong.
Yes, I saw that and followed the tests. Because these tests didn't help resolve the problem I've written him an email with some sensitive data so that he can verify himself what's in the different stores and such. I didn't want to post the pkcs#12 file here in the list. He hasn't answered back but I really don't blame him - because he is really not in any obligation. But I still hold on to my conclusion that (in my tests at least) cross store auth (ca in software store, user in hardware token) isn't possible. But that should probably better go into the other thread. I'm absolutely no windows zealot (I very rarely use windows) but I think (and from googling also quite a lot of other people too) that you should use the stores that are available on that platform. So windows cert store on win and the key manager on OSX. I guess that under linux it would have to rely on it's software store. You need to rely on external components (dll's for accessing hw tokens etc) anyway so why not let the writers of those dll's make it work with windows (and by that with the certstore of win) and you take the access methods provided by M$ for that store and get the certs from there? One of the nice things: if it doesn't work you can blame M$ quite a lot. And the two results I've seen lately (the hw token thing and now the thawte cert) it seems that the windows cert store is more robust/lax in dealing with such things. To me it seems that it works "better". -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
