On 2009-09-23 12:38 PDT, Anders Rundgren wrote: > To me cluelessness seems to be all over the map since nobody (including > the people subscribing to this list), have bothered the least about what > this thingy is supposed do, and how, and why.
I'm sorry if you feel cluelessness abounds. Let me try to help. > I (incorrectly) thought that everybody in computer security knew that > tokens usually are protected by PIN-codes, but <keygen> does not deal > with such. The PKCS#11 model of tokens does not have a PIN per key, but rather has a PIN per token. The PIN size limits (min, max) are not set at the time that a key is generated but rather at the time that the token is initialized. > I guess the idea that it is up to the user to decide what the policy > including selecting "key strength". I have a feeling that there aren't > too many banks or governments out there that would buy into this. Have you seen any UI that gives the user a way to make that decision? It's a decision made at token provisioning time. Banks and governments provision their tokens with the limits they choose. > Don't get me wrong, <keygen> was a necessity for Netscape in order to > roll out their brilliant contribution to Internet security, the SSL > protocol. Today the situation is rather different but many solutions are > still at the 1997 level. And other proposed solutions are still at the wannabe stage years later. > Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
