On 20 Jul., 12:04, Ian G <i...@iang.org> wrote: > On 20/7/09 09:18, Udo Puetz wrote: > > > <rant mode> From a usability point of view I would consider the WHOLE > > thing to be a nightmare. I intended to write up a howto, gave that up > > now for the time being. > > And by the way: ASN1, PKCS#7, PKCS#12. Who was the (pardon my french) > > braindead person to name these things? I could probably learn the > > difference (I know lots of other 3-4 letter acronyms) but guess what I > > hear when I try to remote-debug a call from a luser when I tell them > > to give me the PKCS#12 cert...?</rant mode> > > Anyway, thanks for your efforts, I consider the whole thing for the > > time being as not usable and recommendable. > > This is a lesson that all users find and repeat. Smart cards / tokens > are unusable in the general market. > > The causes are a bit complex, but basically Mozilla champions the smart > card / token method of storing PKI keys because companies can sell it to > other companies, and companies provide the developers in this area. > > Mozilla does not, and no other developers are "available". > > The fact that hardware doesn't work in the retail / open / end-user > market which Mozilla is most famous for is more than annoying. It > creates a dead weight "opportunity cost". The solutions in the end-user > market do not use hardware, and won't be implemented if they clash with > the precious hardware model. So the end user is screwed again.
Due to recent developments (US agencies spying on it's citizens, retention laws in germany and elsewhere, facebook, twitter and such becoming popular) people in the internet can be devided into two groups roughly. Those that give away ANY information about themselves for, well, nothing. And those that think about the implications of using google services and such because of the implicit data they give away. The first ones might convert if they get bitten by their openness (fired because of a facebook entry etc.). IF you want to do encryption (e.g. online banking) you fast realise that you need two (or more) factor authentication. And one of those is a hardware dongle because the rest is in your head or in your biometrics. Sooo, more and more people WANT to use hardware tokens (also because they are fairly cheap nowadays). So there is a very substancial market there. On "paper" it also looks as if quite a lot of devices are supported. opensc has a list of devices that "work" and you get windows drivers with every hardware you purchase. Why isn't there more focus on underlying structures? It's all nice and such if the url bar get's green if the SSL cert is "valid" (wasn't a SSL cert forged recently because MD5 has collisions?), but it's bad if thunderbird thinks an email is signed when it isn't. I dunno if I bark up the wrong tree here but it needed to be said ;-) And I think that mozilla has the knowledge (you guys), the ressources and the mental state to work on such a thing - even if other browsers would also benefit from this work. Regards Udo Puetz > iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
