Robert Relyea wrote: <snip>
Token provisioning is outside the PKCS #11 module. It uses global platform secure channels to communicate to the card. The APDU's are specific for the cards applet.
Yes, and this is why Firefox and other browsers are slightly incompatible with the web from a client-side PKI perspective since none of the above is likely to ever be supported from a browser down to crypto middleware and token. Therefore I maintain that a high(er)-level E2ES provisioning scheme like SKS will eventually make PKI "a better password", not only for security reasons but also from a usability perspective. SKS does not build on Global Platform because GP is tied to a business model which IMHO makes GP less suited for an Internet populated by a gazillion of users and providers. You should be able to buy an "Internet token" at Wal-Mart that can be used "as is" without awkward driver installation. Such functionality might one day even be a part of NSS since SKS is designed to be a "companion API" to PKCS #11 :-) Anders http://webpki.org/auth-token-4-the-cloud.html -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
