On Fri, September 27, 2013 2:22 pm, Eddy Nigg wrote: > On 09/27/2013 11:52 PM, From Ryan Sleevi: > > Let me try it differently: What actions do you take on this information? > > Terminating a current session or triggering authentication to a new > session.
When you define session, what do you mean here? NSS already performs checking that the given smart card used to authenticate is present whenever encrypting or decrypting data. This includes cached session resumption as well. This does not seem like it's a capability that needs to be or should be exposed at the platform layer. At best, it seems like a proposal to change how Firefox handles SSL in the browser, which may either be a feature request or bug of PSM or NSS - but not a Web API. If you're not relying on that client-authenticated SSL session, then it sounds like an application design issue on your web apps side, rather than something missing from the Web Platform. > > > As far as I know, IE doesn't provide the smart card insertion/removal > > events, except perhaps through ActiveX. > > Yes exactly. > > > Why should a web page care about a user's hardware state, given that > > there > > exist no Web APIs to actually leverage this hardware state? > > Consider a banking site or others like administrative sites that use > client certificates (provided on a smart card) . > > > This would be akin to wanting to know about USB events, for which there > > is > > no USB API for in the Web [putting extensions aside for a moment]. Or > > wanting to know when the user plugs in a new keyboard or mouse; why > > should > > it matter? > > Probably because we like to use a browser for such tasks instead of > implementing a dedicated UI. And client certificates (which may be used > on smart cards) are part of the browser capabilities. Yes, but a website has no knowledge about whether or not the given client certificate is on a smart card (nor can it, at least without out of band knowledge). This certainly doesn't seem like a use case that fits the web security model, so I'm still trying to refine and understand what you're discussing here. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
