> My scenario is a billion+ community who haven't a clue what a CSP > is and never will. They may not even know what a certificate is! > > A CSP-solution doesn't give the issuer any information about where and > how a key was generated. The same goes for NSS, JCE, and PKCS #11.
Developer *can* know where keys were generated, cause keys are generated for an specific CSP. In other words: I (as a developer) select my CSP (which i know it maps to a card) and generate keys -> keys are in the card. Anyhow, this is technical discussion, and thats is what i want to avoid. > See section 9.5 of: > http://forja.cenatic.es/docman/view.php/160/684/cwa14890-01-2004-Mar.pdf I know what SM messages are. I didnt understand "container attestation". (As you already know, its my lack of english :P) > http://openkeystore.googlecode.com/svn/trunk/resources/docs/Efficient-Provisioning-of-Complex-Structures-Over-Unsecured-Channels.pdf Isnt that the same slides you already gave me? > As can be seen from the documents, Secure Messaging isn't something you could > bring up on a typical cocktail party :-) :-) What kind of bloody insane naughty and lusty parties you go? (Can i go with you?) > If it works like "CertEnroll" or "SConnect" it is indeed an extremely > bad idea because it exposes the card to accesses by untrusted parties. So, a webpage should not be able to query smartcard (and get public key from a card). Cant we control that with a "this site is requesting smartcard access: allow/deny?" > Almost. I started years ago with a protocol and later realized that > secure messaging must be a part of that. However, given the weirdness > of smart cards, I found that you would also need a carefully matching > container in order to ever get it supported inside a standard browser. I thinks this is another story. Probably more correct or with a higher knowledge, but "creating another standard" is not what im discussing here. As i asked you before, please, try to answer me this question (this will help me undestand the problem): I want to detect when the card is inserted, to be able to request a cert (generate keys) inside the card (only). Is "want i want" a bad idea? (you can always show an alert to allow/deny web page card access) How could we do it? (i think pkcs#11 its a simple/clear/well-known way of doing it) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
