On 2009-07-20 03:04 PDT, Ian G wrote: > On 20/7/09 09:18, Udo Puetz wrote: > >> <rant mode> From a usability point of view I would consider the WHOLE >> thing to be a nightmare. I intended to write up a howto, gave that up >> now for the time being. >> And by the way: ASN1, PKCS#7, PKCS#12. Who was the (pardon my french) >> braindead person to name these things? I could probably learn the >> difference (I know lots of other 3-4 letter acronyms) but guess what I >> hear when I try to remote-debug a call from a luser when I tell them >> to give me the PKCS#12 cert...?</rant mode> >> Anyway, thanks for your efforts, I consider the whole thing for the >> time being as not usable and recommendable. > > This is a lesson that all users find and repeat. Smart cards / tokens > are unusable in the general market.
Ian, I'm surprised that you're still beating that dead horse. First, none of the standards that Udo maligned above has anything to do with hardware. Nothing at all. Second, your "sacred hardware" arguments have all recently been refused. Have you forgotten? Seeing as how NSS never requires any hardware, that argument is rather silly in this context. Maybe it made you feel better? As for Udo's rants, Udo has reported that two of the users he was trying to help have subsequently resolved their own problems without his help. Maybe Udo is just unhappy that he had more problems with this stuff than the users he was trying to help did. Maybe Udo will have more success with ROT13. The only people who have trouble with PKI are the people who try to be their own CAs using OpenSSL, after reading some web page that repeats the nonsense that real CAs add no value and anyone can successfully be his own CA with OpenSSL in 5 minutes. Many (most?) users who try it, find and repeat the lesson that there's more to being a CA than there is to being a PGP user. Ranting about that is like people who try and fail to repair their own automobiles ranting at the automobile manufacturers. Now, finally, I'll put on my forum moderator hat and remind participants that this is a developer forum, for developers of NSS and developers of software that uses NSS. The place for people who failed to be their own CA using OpenSSL is alt.CA.wannabee.rants. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
