2010/3/7 Eddy Nigg <eddy_n...@startcom.org>: > On 03/07/2010 04:01 PM, Martin Paljak: >> >> The reason of "central certificate stores" for software keys is >> universality and API. Windows provides an API, Mac provides an API, Firefox >> implements only PKCS#11. >> > > PKCS11 is a standard and I suspect that it's possible to interact with those > crypto stores through PKCS11. APIs may be invented and changed by various > software, which mostly don't follow any standard.
Windows is also a (de facto) "standard" which you can't ignore. Same goes for OS X. There's no point in discussing "standards" if you want to produce an .exe that works with Windows Vista (and whatever standard or non-standard glitches and quirks it has) or discuss replace the GUI on Mac OS X for a "standard" GUI (X11?). Windows (and whatever APIs it provides) is a standard (for applications that run on windows), OSX with its APIs is a standard (for mac apps). Yes, there is POSIX and whatnot, but that's mostly on the paper. For Fedora, NSS is the "crypto standard", for others it is OpenSSL. Windows and Mac are not like Linux. Discussions (and implementations) which layer should be the topmost (PKCS#11->CAPI or vice versa, CDSA->PKCS#11 or vice versa) have not yet been usable or practical, to my knowledge. Conceptually it should be possible, in real life matching the corner cases becomes difficult if not possible. Last time I checked the PKCS#11 module that came with OS X that should translate at least Tokend (smart card) drivers to Firefox ... just crashed. It is not about APIs, it is about "how it should be done" and what it is you're trying to do. Why the file open dialog tends to come from the OS platform? >> The fact that platform APIs are not used (or the argument that they work >> poorly or something similar) is something Mozilla people should answer to. >> > > Well, the arguments were usually exactly the point I made. Firefox (and > other applications) have their own crypto store, making it independent from > what happens at the system level. There are obviously pros and cons for this > approach. One of the major cons: you need to multiply the I in PKI. The same way Firefox makes you depend on the root CA selection done by somebody else, it would be OK to make the user depend on the PKI interfaces (and trust management) of the platform, if the platform provides one. For me soft certs on both mac and windows, with firefox, feel like split personality (all this importing-exporting for no obvious reason) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
