On 6/7/09 08:42, Nelson Bolyard wrote:
On 2009-07-05 16:03 PDT, Ian G wrote:
On 4/7/09 23:19, Nelson B Bolyard wrote:
You provide customer support for Firefox?
Yup. Doesn't everyone who is a techie? I mean, I don't want to, but
because I am a techie, people assume that I know Firefox back to
Martin,
Martin Paljak wrote:
This is because currently tokens are used for low level internet pipe
things in the form of SSL/TSL. It is impossible to bring those network
level events to the UI level, and it would not make much sense either.
NSS allows the password prompting callback to be c
Users are never told that a PIN is a password is a passphrase. So,
they believe that a "PIN" is not a "password", and a "password" is not
a "passphrase". So they think "I have to type my password to get
access to this", not "the device is asking for my PIN to do what it's
been asked to do."
User
Martin Paljak wrote:
It accepts ascii-numeric pins, but it is a PIN (with numbers) for
several reasons:
1. People know PIN codes and use them on ATMs => cards have PINs which
are made of numbers
2. I use pinpad readers for obvious reasons, which only have numbers
3. You are not married to your
On 06.07.2009, at 1:38, Nelson B Bolyard wrote:
On 2009-07-05 05:57 PDT, Martin Paljak wrote:
The problem is that an average users thinks like this: "password is
something like 'topsecret123', PIN code is something like '1234', I'm
asked for a password, let me see, which passwords I know that
M.Hunstock wrote:
Anders Rundgren schrieb:
BTW, we still don't have a credible system for *remote* provisioning of
smart cards on any OS, so we shouldn't expect too much progress here
because PKCS #11 can't do that job actually!
Why? What are you missing?
http://webpki.org/papers/keygen2/se
Anders Rundgren schrieb:
> BTW, we still don't have a credible system for *remote* provisioning of
> smart cards on any OS, so we shouldn't expect too much progress here
> because PKCS #11 can't do that job actually!
Why? What are you missing?
--
dev-tech-crypto mailing list
dev-tech-crypto@list
On 2009-07-05 16:03 PDT, Ian G wrote:
> On 4/7/09 23:19, Nelson B Bolyard wrote:
>> You provide customer support for Firefox?
>
> Yup. Doesn't everyone who is a techie? I mean, I don't want to, but
> because I am a techie, people assume that I know Firefox back to front
> and can make it do ci
On 4/7/09 23:19, Nelson B Bolyard wrote:
On 2009-07-04 04:19 PDT, Ian G wrote:
Some remarks.
On 4/7/09 12:18, Martin Paljak wrote:
Firefox displays a "Please enter password for ..." dialog, which is
ambiguous for casual users who need to be said very clearly when they
need to enter the PIN of
On 07/06/2009 01:44 AM, Nelson B Bolyard:
Sure, it's a bug. If the CA root is trusted in the "software security
device", its trust bits should not be overridden by the same CA
certificate on the tokenbut alas...
Is there a bug on file with a reproducible test case?
Yup https:
On 2009-07-04 04:31 PDT, Eddy Nigg wrote:
> On 07/04/2009 02:20 PM, Anders Rundgren:
>>> It's not a good idea to place the CA certificate on the token because
>> I think it is Firefox that's confusing.
>
> Sure, it's a bug. If the CA root is trusted in the "software security
> device", its trust
On 2009-07-05 05:57 PDT, Martin Paljak wrote:
> The problem is that an average users thinks like this: "password is
> something like 'topsecret123', PIN code is something like '1234', I'm
> asked for a password, let me see, which passwords I know that I might
> type here..." More experienced
On 05.07.2009, at 0:11, Nelson B Bolyard wrote:
FYI, to make sense to users of eID cards currently one has to embed
the word PIN into the token description as well, so that the prompt
that Firefox displays would make sense: "Please enter password for:
MARTIN PALJAK (PIN1)" GUI hints would be usef
On 2009-07-04 04:19 PDT, Ian G wrote:
> Some remarks.
>
> On 4/7/09 12:18, Martin Paljak wrote:
>
>> Firefox displays a "Please enter password for ..." dialog, which is
>> ambiguous for casual users who need to be said very clearly when they
>> need to enter the PIN of 4 or more digits. Right now
Martin, I want to read your full message and respond fully later this
weekend, but right now I just want to try to clarify a couple things.
>>> FYI, to make sense to users of eID cards currently one has to embed
>>> the word PIN into the token description as well, so that the prompt
>>> that Firef
On 07/04/2009 02:31 PM, Eddy Nigg:
I've been begging for this feature to be implement, to no avail...
s/implement/implemented/
As such it's amazing to hear the arguments against doing so, specially
when some 70% of the browser market does that successfully with no
drawback or breach of priv
On 07/04/2009 02:20 PM, Anders Rundgren:It's not a good idea to place
the CA certificate on the token because
I think it is Firefox that's confusing.
Sure, it's a bug. If the CA root is trusted in the "software security
device", its trust bits should not be overridden by the same CA
certi
Eddy Nigg wrote:
>> Actually, I haven't seen evidence of that, although you did claim that when
>> you imported the PKCS#12 file into the software token, that the missing CA
>> cert was then found present.
>It's not a good idea to place the CA certificate on the token because
>the trust bits may
Some remarks.
On 4/7/09 12:18, Martin Paljak wrote:
Firefox displays a "Please enter password for ..." dialog, which is
ambiguous for casual users who need to be said very clearly when they
need to enter the PIN of 4 or more digits. Right now my Firefox speaks
Estonian but I also remember a ph
As I have written one of those "many plugins used in EU" (used in
Estonia on Mac OS X and NPAPI compatible browsers, which means firefox/
safari/opera/camino ...), my opinions might be biased, but they
reflect real life requirements.
On 04.07.2009, at 1:04, Nelson B Bolyard wrote:
FYI, to
On 07/04/2009 08:28 AM, Nelson B Bolyard:
That's why I reason that the CA and user cert have to come from the same
source, either the software storage or the token. But mixing the stores
doesn't seem possible.
Except that I do that all the time.
True.
Actually, I haven't seen evid
On 2009-07-03 04:33 PDT, Udo Puetz wrote:
> What we've found out now is this: there is no CA certificate on the
> token. And it seems that firefox needs the CA and the user certificate
> from the same place:
I don't believe it is true that Firefox requires both to be in the same
token.
> If I im
On 2009-07-03 05:29 PDT, Ian G wrote:
> We desperately need some form of whitelisting in Firefox so that each site
> always gets presented the same cert. If browsers can remember cookies
> and username/passwords, then they can remember cert/domain combinations.
This goes double for Thunderbird
On 2009-07-03 00:30 PDT, Martin Paljak wrote:
> Some constructive suggestions; mostly for Firefox:
>
> 1. Use platform API-s where appropriate: cryptoapi (and basecsp via
> this) on windows; cdsa/keychain on macosx.
Regardless of who does it, this triples/quadruples the amount of work
to be d
On 3/7/09 09:30, Martin Paljak wrote:
...
2. Fix Firefox/NSS - Firefox still thinks that you should be able to
authenticate to websites with certificates *without* TLS client
authentication extension. Add automatic certificate selection, and you
get trouble.
Yes, this makes cert login as bad a
On Jul 2, 7:28 pm, Nelson B Bolyard wrote:
Hi all,
I'll answer Mr. Bolyards questions briefly because I think we found
the culprid. See at the bottom.
> > I have a safenet iKey 1032 token where I imported the p12 certificate.
> > In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet
>
On 3/7/09 07:15, Anders Rundgren wrote:
Nelson B Bolyard wrote:
but please don't take it out on us. Please refrain from further sniping
in this mailing list and newsgroup. Constructive contributions are welcome.
I'm sorry about that. Is there any other place where Mozilla people hang
out wh
>Anders, I think you must take your ideas to a standards body
Eddy, this is exactly what I believed/hoped/craved for.
Unfortunately, the people who represent "stake holders" like EU
governments and banks do participate in International foras like OASIS
and IETF, nor fund such developments. It
On 07/03/2009 08:15 AM, Anders Rundgren:
I'm sorry about that. Is there any other place where Mozilla people hang
out where there is an interest in trying to understand why and what is
happening on the PKI side for consumers?
Anders, I think you must take your ideas to a standards body - I
Hello,
my colleague has run off with the test token so I can only show you
some screenshots I made for the german support of safenet. These show
roughly what you requested. When my colleague returns I'll make new
screenshots (in english if I manage somehow). Here are the shots:
http://www.i-nex.de/
On 03.07.2009, at 8:15, Anders Rundgren wrote:
According to most people who are into consumer PKI, Java applets is
the
best solution for cross-browser PKI. I think Java applets suck but
indeed,
that's really all we got.
but please don't take it out on us. Please refrain from further
sni
Nelson B Bolyard wrote:
>> If you want to use Hardware tokens, PKCS #11, and Firefox you
>> either must be nuts, a masochist, very smart, or highly committed.
>Anders, The user has made a decision and we're helping him with it.
That's fine, I have personally noted that these kinds of problems ar
On 07/03/2009 02:26 AM, Nelson B Bolyard:
In answer to your question: Yes, the Linux Software Base now includes NSS.
Numerous products use it, including Google's Chrome and Adobe's Flash Player.
HohoI didn't noticed that...perhapsbecause it just works?
--
Regards
Signer: Eddy Nigg
On 2009-07-02 12:17 PDT, Anders Rundgren wrote:
> If you want to use Hardware tokens, PKCS #11, and Firefox you
> either must be nuts, a masochist, very smart, or highly committed.
>
> For ordinary users it makes little sense.
>
> Hardware tokens: there are any number of different types
> PKCS #1
PKCS #10? I guess you really meant PKCS #11.
I'm not aware of any such profile. There is smart card profile
but I doubt it has much to do with PKCS #11, it is rather about
7816.
Anyway, the way Firefox is linked to PKCS #11 is probably OK
in Linux-land.
However, in Windows-land where 80% of a
USB does actually have a PKCS#10 device reader profile. If you were
to extend that by adding a generic "oh, it also has a device in a slot
that performs these functions" layer that was exposed through the
device-reader profile, it would be universal -- and universally
implemented in the platform i
On 07/02/2009 10:17 PM, Anders Rundgren:
If you want to use Hardware tokens, PKCS #11, and Firefox you
either must be nuts, a masochist, very smart, or highly committed.
For all those which are nuts, masochists, smart and highly committed I
blogged this article which shows how easy it can be,
Anders Rundgren wrote:
> Linux: doesn't even provide a crypto service API, or does it?
There's a PKCS#11 driver implementation by OpenSC project (see
http://www.opensc.org/).
Ciao, Michael.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-t
If you want to use Hardware tokens, PKCS #11, and Firefox you
either must be nuts, a masochist, very smart, or highly committed.
For ordinary users it makes little sense.
Hardware tokens: there are any number of different types
PKCS #11: the most difficult to program and administer middleware kn
On 2009-07-02 02:58 PDT, Udo Puetz wrote:
> I want to authenticate against a juniper SA 2500 firewall with a user and
> password AND a certificate.
> I have a safenet iKey 1032 token where I imported the p12 certificate.
> In firefox (tried 2.0.x, 3.0.x and 3.5.x) I imported the safenet
> K1PK112
I can't help you with the specific problem [:-(] but I can "help" you
with a diagnostic at least. Which is? Smart card vendors have
spent decades on fighting each other on the spec/middleware
side and naturally we all have to pay the price.
Tokens for consumers have therefore been [rightfully] r
41 matches
Mail list logo
