On Fri, September 27, 2013 3:46 pm, Eddy Nigg wrote: > On 09/28/2013 12:45 AM, From Ryan Sleevi: > > NSS already performs checking that the given smart card used to > > authenticate is present whenever encrypting or decrypting data. This > > includes cached session resumption as well. > > Not SSL session of course, but on the web application layer. > > > If you're not relying on that client-authenticated SSL session, then it > > sounds like an application design issue on your web apps side, rather > > than > > something missing from the Web Platform. > > Of course, how can the web application know if a smart card is removed > otherwise? It must get that input from somewhere, doesn't it? > > > Yes, but a website has no knowledge about whether or not the given > > client certificate is on a smart card. > > The web site probably not, but the web site operator - there are banks, > health services and others (like us) that use smart cards knowing that > the client certificate exists only in a smart card. > > > This certainly doesn't seem like a use case that fits the web security > > model, so I'm still trying to refine and understand what you're > > discussing here. > > As explained - if a client certificate exists only on a smart card (by > design enforced) and that cert is used for authentication, if the card > is removed I want to trigger termination of the current session (call it > log out) and if the card is inserted again authentication is performed > again. > > That's the functionality which window.crypto.enableSmartCardEvents > provides that is discussed here for removal. I assume it was put into > the capabilities of FF exactly for this purpose in first place. >
I'm sorry, but what you just described seems entirely unnecessary. If your site requires a client certificate, and you know that a client certificate is stored in a smart card, then you also know that when using Firefox, and the smart card is removed, Firefox will invalidate that SSL/TLS session. Because your site requires a client certificate, their current session is thus terminated. When they attempt to establish a new SSL/TLS session, your site will again require a client certificate, and they either insert a smart card or they don't. Such an API seems entirely unnecessary - 'it just works' like above. It sounds like you're using a weaker security guarantee though - namely, that you're not requiring SSL/TLS client certificate authentication, and thus want some other out of band way to know when the user removed their smart card. The interoperable solution is simple - don't do that. When the user removes their smart card, the SSL/TLS session is invalidated, and the user is 'logged out'. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
