> My "solution" to this is to treat all PKI-using applications as complete > applications running in trusted code. W3C tries to do something different, > we'll see how that pans out...
Ok Anders, but you are -again- talking much about your protocol, not answering my question (or at least, i didnt get it as clear as water). I think, this must be a communication problem between my spanish and yours swedish (?). I really sorry for that. Im talking about something much more simpler: "Detect a card insertion and be sure the card is doing the operation i requested". For example: Within a browser, i click on "dear card, please, RSA sign this data" button. IIUC, you say "that should not be done" or "that is not good for ~ reasons". And that is want to know. Why, if i request a certificate using a webpage (=generate keypair), i cant control if the operation is performed within the card (not in softokn)? (Using latest build, i can do that operation, but i cant control where is done...) Actually, if i access an untrusted SSL site, i see a warning "you are about to enter on an untrested site..." Why i could not see "this page wants to use the smartcard..." warning? Maybe, this discussion should be on private to avoid spamming dev-tech-crypto list...? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
