Recently there has been some discussions in the IETF PKIX list regarding future enrollment systems including those in browsers.
I remain confident that it is infeasible extending such a scheme to include smart cards since Certificate Enrollment and Token Provisioning are very different, even if the latter would only be about PKI. You don't have to go very far to verify this claim: Just setting a PIN-code usually requires "administrator" permission to the token and that is contra to what banks and similar providers would be interested in. AFAICT, a scalable approach should be based on that the issuer establishes a secure session with the token in which it can enforce its own policy _/without elevating user or middleware privileges/_. I have (FWIW), completely dropped the idea of creating a new browser Certificate Enrollment protocol since it wouldn't solve any problem. Well, minor adjustments of <keygen> could be useful (such as making the key strength buttons optional), but that has nothing to do with Token Provisioning. http://www.ietf.org/mail-archive/web/pkix/current/msg29682.html Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
