On 09/28/2013 12:45 AM, From Ryan Sleevi:
NSS already performs checking that the given smart card used to authenticate is present whenever encrypting or decrypting data. This includes cached session resumption as well.
Not SSL session of course, but on the web application layer.
If you're not relying on that client-authenticated SSL session, then it sounds like an application design issue on your web apps side, rather than something missing from the Web Platform.
Of course, how can the web application know if a smart card is removed otherwise? It must get that input from somewhere, doesn't it?
Yes, but a website has no knowledge about whether or not the given client certificate is on a smart card.
The web site probably not, but the web site operator - there are banks, health services and others (like us) that use smart cards knowing that the client certificate exists only in a smart card.
This certainly doesn't seem like a use case that fits the web security model, so I'm still trying to refine and understand what you're discussing here.
As explained - if a client certificate exists only on a smart card (by design enforced) and that cert is used for authentication, if the card is removed I want to trigger termination of the current session (call it log out) and if the card is inserted again authentication is performed again.
That's the functionality which window.crypto.enableSmartCardEvents provides that is discussed here for removal. I assume it was put into the capabilities of FF exactly for this purpose in first place.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
