Dear All, I would like to ask you help in the following problem.
Assume we have a smart card with two keypairs and two corresponding certificates. One keypair is used for electronic signatures, the other is used for SSL authentication. The card has two PIN codes, PIN1 protects the key used for signing, and PIN2 protects the key for SSL authentication. If I want to sign a document, I need to provide PIN1 (which is '123456'). If I want to access a protected website, I need to provide PIN2 (which is '12345'). This means that if I need to access a protected resource, I provide PIN2 to the application, and thus a malicious application cannot create a signature on my behalf. I was told the following (by a card vendor): If I use the above card with Mozilla, then I have to provide both PIN codes when I perform an SSL authentication. The reason for this is that Mozilla first logs into the card (into all key containters with all PIN codes), and only then can it select the appropriate certificate. I was told (by the card vendor) that it is _impossible_ to produce a PKCS#11 library that - can access both keypairs, and - requires PIN1 for signing only, and PIN2 for SSL authentication only in Mozilla. Thus, in Mozilla it is not possible to first select the certificate and then provide the PIN code. My question is: Is this true? If yes, can you suggest any workaround for this problem? Thank you very much for your help. Regards, István -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
