On 23.07.2009, at 13:23, Udo Puetz wrote:
-Use win key store on win. Both FF and TB. If a hw token is found
ask
the user if he wants to utilize it.
And with it import all the potential problems of an operating system
too? I mean, then the application can't make an independent trust
decision really.
Really - applications don't make independent trust decisions, humans
do. Applications do make *decisions* but they are not about trust, at
least not the same. Think about thrillers and "who to trust?"
scenarios - you can make a movie out of it. But making a movie of an
algorithmic process lasting about 1ms? It's not a decision, it's just
a computation.
Yesterday I stumbled upon a really nice picture (wave, Ian!) that
somewhat explains my viewpoint: http://iang.org/papers/fc7.html#model
Same fundamental question as above.
I didn't manage (and my colleagues too) to have FF see a user cert
below a CA where the CA is in the software store and the user cert
came from a token. So no authentication with the token against a
website.
Whole Estonia uses Firefox the way you described: two certificates on
the card, one root and one sub-root CA in software token. Works
perfectly, except that only the SSL-capable certificate is made
visible to Firefox to please it.
Maybe a log file from Firefox or your token provider could help. Have
a look at pkcs11-spy to reveal what's going on between your token and
Firefox, check out http://www.opensc-project.org/opensc/wiki/
UsingOpensc.
--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
