Aug 30, 2007 (!!!) Nelson Bolyard wrote: /NSS, the crypto software used in mozilla browsers and email clients, was one of the first adopters of PKCS#11, the interface standard for crypto devices like smart cards and USB crypto fobs. Network client products that use NSS have been able to work with a large variety of crypto devices from various vendors for a decade now.
But for much of that time, it was not economical for individual users to get their own crypto devices. In quantities of 10,000, the prices were reasonable, but if you only wanted to buy one or two, the prices were well over USD $100 each, for a long time. As an NSS developer, I was frustrated that crypto devices were economical for my employer, but not for me personally. I had the use of a crypto device provided by my employer, but the keys in it were the property of my employer, and they could legally take them whenever they wanted. I wanted a device of my own, that I owned, and that on-one had the right to use, except me. But it just wasn't economical. Now that seems to have changed. Good USB crypto devices can be had for less than USD $50, and really good ones for well below $100. Today, I'm using an Aladdin eToken Pro USB device with enough memory to store all the certs and private keys I'll need for a few years to come. It works very well with Mozilla, FireFox, Thunderbird, SeaMonkey, etc. I'm using it with Aladdin's software on Windows, but Linux drivers are also available through OpenSC. I bought mine from startcom.org. I'm very pleased with it. It's mine, all mine! :-) So, I'm wondering. Are others on this list also using their own personal smart cards or crypto devices (not their employers, but theirs personally)? Are they working well for you with mozilla products? With other products? Would you recommend the product you use to others? What did it cost you? On what platforms is is supported? Obviously, I don't want to turn this into a big advertising opportunity, but I figure if people are telling their own personal success stories about products they personally bought (like I did), we shouldn't go too far off into advertising land./ -------- The somewhat bigger question is why we should care about smart cards when you effectively must have some kind of CMS (Card Management System) to make on-line credential distribution useful also for people without a PhD in cryptography. Firefox has AFAIK not improved on this point since 199X. Since PKCS #11 as been attested [1] by Bob Relyea doesn't actually address the enabling part at all, there's obviously quite a few holes in the NSS vision. It is in this context worth mentioning that Microsoft recently put their quite interesting CardSpace client on the backburner [2] since they never managed to make work with smart cards (which comes as no surprise since this part essentially is stuck in a form tailored for Windows 98). If we are really serious about competing with passwords it must be exactly as easy for the end-user getting a certificate as it is defining/getting a password. It's that simple. Or hard if you prefer that :--) Anders [1] http://groups.google.com/group/mozilla.dev.tech.crypto/msg/20810995b57e6808 [2] http://blogs.msdn.com/b/card/archive/2011/02/15/beyond-windows-cardspace.aspx -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
