> And what about applets without JSS, using Secmod [1] or the sunpkcs11
> [2] provider?
>
> [1] http://www.docjar.com/docs/api/sun/security/pkcs11/Secmod.html
> [2] http://www.docjar.com/docs/api/sun/security/pkcs11/SunPKCS11.html
Any comments?
--
dev-tech-crypto mailing list
dev-tech-crypto@lis
> Helpcrypto, a possible *long-term* solution to this is that the requester
> indicates such preferences. So if the requester says "external card"
> (for example) the dialog would not need the user to select. If there
> is no card present, it would ask the user to insert a suitable card.
> This i
Hello,
On Fri, Apr 20, 2012 at 13:53, Anders Rundgren
wrote:
> I think these guys have do a huge work with signature Applets:
>
> http://www.openoces.org
I don't know about practical differences, as I've not tested either
applet in real life applications, but there's another interesting
applet
On 2012-04-20 10:34, helpcrypto helpcrypto wrote:
> After reading your three mails, i have only one thing to say: Clear as water.
>
> Thank a lot for your patience and effort on explaining this for
> short-minded like me.
> Thanks a lot, REALLY, for your long, detailed and clear answer.
> Of cours
After reading your three mails, i have only one thing to say: Clear as water.
Thank a lot for your patience and effort on explaining this for
short-minded like me.
Thanks a lot, REALLY, for your long, detailed and clear answer.
Of course, thanks a lot to Anders (which also suffered me) and others,
On 20/04/12 01:06 AM, helpcrypto helpcrypto wrote:
Since you typically need a bunch of calls in order to do something
"pkcs11-ish" you would annoy the user with tons of warning dialogs.
False, just a warning to confirm the website can use the smartcard,
and PIN/Password when needed.
Yes, te
On 20/04/12 00:28 AM, helpcrypto helpcrypto wrote:
I can see where this difficulty is, I've worked on smart cards and it is ...
perverse. I'll see if I can explain it. As an aside I have no idea what
the NSS people think, I'm not speaking for them, and they don't typically
like what I say :) A
On 20/04/12 00:41 AM, helpcrypto helpcrypto wrote:
My "solution" to this is to treat all PKI-using applications as complete
applications running in trusted code. W3C tries to do something different,
we'll see how that pans out...
Ok Anders, but you are -again- talking much about your protocol,
> Dear HelpCrypto, I'm not pushing my protocol. I just don't think
> that web-pages should be able to directly address *any* device
> but the screen.
If that were true, many things (like JSS) should dissapear from MDN.
Dont missunderstand. Im not complainning you or your protocol.
> If you take
On 2012-04-19 16:41, helpcrypto helpcrypto wrote:
>> My "solution" to this is to treat all PKI-using applications as complete
>> applications running in trusted code. W3C tries to do something different,
>> we'll see how that pans out...
>
> Ok Anders, but you are -again- talking much about your
> My "solution" to this is to treat all PKI-using applications as complete
> applications running in trusted code. W3C tries to do something different,
> we'll see how that pans out...
Ok Anders, but you are -again- talking much about your protocol, not
answering my question (or at least, i didnt
> I can see where this difficulty is, I've worked on smart cards and it is ...
> perverse. I'll see if I can explain it. As an aside I have no idea what
> the NSS people think, I'm not speaking for them, and they don't typically
> like what I say :) Apologies out of the way, onwards!
This sound
On 2012-04-19 09:21, helpcrypto helpcrypto wrote:
>> (to me, that question makes no sense. users can't talk to smart cards.
>> Only smart card readers and programs can. So what smart card reader and
>> what program is doing this? A dumb smart card reader and a browser,
>> following Javascript i
On 19/04/12 17:21 PM, helpcrypto helpcrypto wrote:
(to me, that question makes no sense. users can't talk to smart cards.
Only smart card readers and programs can. So what smart card reader and
what program is doing this? A dumb smart card reader and a browser,
following Javascript instructi
> (to me, that question makes no sense. users can't talk to smart cards.
> Only smart card readers and programs can. So what smart card reader and
> what program is doing this? A dumb smart card reader and a browser,
> following Javascript instructions from a website? That'd be game over...)
> My scenario is a billion+ community who haven't a clue what a CSP
> is and never will. They may not even know what a certificate is!
>
> A CSP-solution doesn't give the issuer any information about where and
> how a key was generated. The same goes for NSS, JCE, and PKCS #11.
Developer *can* k
On 2012-04-18 13:06, ianG wrote:
> (lo-pri interest only requests)
Short return then :-)
>
> On 18/04/12 20:00 PM, Anders Rundgren wrote:
>> On 2012-04-18 11:04, helpcrypto helpcrypto wrote:
>
Container attestations must be performed at the APDU-level since
E2ES cannot be "abstracted"
(lo-pri interest only requests)
On 18/04/12 20:00 PM, Anders Rundgren wrote:
On 2012-04-18 11:04, helpcrypto helpcrypto wrote:
Container attestations must be performed at the APDU-level since
E2ES cannot be "abstracted".
I dont understand that.
See section 9.5 of:
http://forja.cenatic.es/
On 2012-04-18 11:04, helpcrypto helpcrypto wrote:
> On Wed, Apr 18, 2012 at 10:03 AM, Anders Rundgren
> wrote:
>> Dear "helpcrypto", now it became a little bit messy because I'm talking about
>> principles while you are talking about specific interfaces like NSS, and
>> PKCS #11.
>
> Ok. Rather
On Wed, Apr 18, 2012 at 10:03 AM, Anders Rundgren
wrote:
> Dear "helpcrypto", now it became a little bit messy because I'm talking about
> principles while you are talking about specific interfaces like NSS, and PKCS
> #11.
Ok. Rather than discussing technical or theorical point of views, i
thin
Dear "helpcrypto", now it became a little bit messy because I'm talking about
principles while you are talking about specific interfaces like NSS, and PKCS
#11.
> During enrollment, i need to know card is present and the keypair is
> generated inside. how can i achieve this without a pkcs#11 inte
> Although E2ES (End-to-End-Security with respect to the *container*) is
> actually my line of work (http://webpki.org/papers/keygen2/sks-api-arch.pdf),
> I don't understand why you would use it during signing or authentication.
> Yes, TLS-client-cert-authentication is also E2ES but it works "one l
On Tue, Apr 17, 2012 at 16:05, Anders Rundgren
wrote:
> Exposing NSS, PKCS #11 or PC/SC to downloaded browser code suffers from the
> same issues.
All the mentioned interfaces are the lowest common denominators to
some extent. Also, provisioning shall suffer from lack of interest
from involved
On 2012-04-17 14:14, helpcrypto helpcrypto wrote:
>> It was for example suggested that PKCS #11 should be exposed as a
>> JavaScript object. I think that is downright ridiculous idea,
>> almost as bad as: http://www.sconnect.com/FAQ/index.html
>
> Let me expose two user-cases where i think that w
> It was for example suggested that PKCS #11 should be exposed as a
> JavaScript object. I think that is downright ridiculous idea,
> almost as bad as: http://www.sconnect.com/FAQ/index.html
Let me expose two user-cases where i think that will be helpfull (and
maybe the only option).
-Web page t
On 2012-04-17 11:14, helpcrypto helpcrypto wrote:
> So, do you (we) ALL agree NSS should be modified to hook with system
> keystores like Windows or OSX? (Linux has no default system keystore,
> so there will be no changes by now)
> Maybe wtc has something to say against this...
>
> Are mozilla (w
On 17/04/12 19:14 PM, helpcrypto helpcrypto wrote:
So, do you (we) ALL agree NSS should be modified to hook with system
keystores like Windows or OSX? (Linux has no default system keystore,
so there will be no changes by now)
Maybe wtc has something to say against this...
Are mozilla (we) going
So, do you (we) ALL agree NSS should be modified to hook with system
keystores like Windows or OSX? (Linux has no default system keystore,
so there will be no changes by now)
Maybe wtc has something to say against this...
Are mozilla (we) going to see (wait) whats is said on:
http://www.w3.org/201
On 2012-04-17 09:06, helpcrypto helpcrypto wrote:
>> I would not build a scheme based on NSS because NSS is not a prerequisite
>> unless you force people to use Firefox.
> We arent forcing. We already support Microsoft, OSX and Google
> browsers, and (trying) Firefox too.
>
>> Hooking Mozilla/NS
> I would not build a scheme based on NSS because NSS is not a prerequisite
> unless you force people to use Firefox.
We arent forcing. We already support Microsoft, OSX and Google
browsers, and (trying) Firefox too.
> Hooking Mozilla/NSS into native APIs like CryptoAPI is a much more important
On 2012-04-16 09:47, helpcrypto helpcrypto wrote:
>>> If you'd like to help make Firefox better for enterprises, we'd be
>>> delighted to have you submit patches instead of questioning our
>>> commitment to our users.
>
> I'll ask another way: Is there any argument against compiling NSS with
> @lo
>> If you'd like to help make Firefox better for enterprises, we'd be
>> delighted to have you submit patches instead of questioning our
>> commitment to our users.
I'll ask another way: Is there any argument against compiling NSS with
@loader_path instead of current @executable_path?
(https://bug
On 2012-04-11 07:42, Gen Kanai wrote:
>
> On 4/9/12 6:05 PM, helpcrypto helpcrypto wrote:
>> The question can be changed to:
>> -Do mozilla want companies and bussiness to use Firefox? (rather than
>> chrome)
>> -Do mozilla think themes and make up are more important to bussines
>> than this ki
On 4/9/12 6:05 PM, helpcrypto helpcrypto wrote:
> The question can be changed to:
> -Do mozilla want companies and bussiness to use Firefox? (rather than chrome)
> -Do mozilla think themes and make up are more important to bussines
> than this kind of features?
If you are familiar with the Mozi
> Google Chrome is exposing NSS to Java/JSS on Mac OS X? I did not think that
> Chrome uses the NSS certificate database at all on Mac OS X.
Google chrome use each OS specific keystore. On OSX its keychain, so
theres no need of JSS. In Linux, and using shared nss db, it uses jss
and works "well".
On 04/04/2012 04:30 PM, Brian Smith wrote:
helpcrypto helpcrypto wrote:
IMHO, this is some that needs some clarification, as Mozilla *IS*
supporting it developing JSS but at the same time saying "we do not
support it",
Some people who are part of the Mozilla project maintain JSS. I will help
r
helpcrypto helpcrypto wrote:
> IMHO, this is some that needs some clarification, as Mozilla *IS*
> supporting it developing JSS but at the same time saying "we do not
> support it",
Some people who are part of the Mozilla project maintain JSS. I will help
review patches to JSS if/when the member
Hi all [Opening my pandora...].
A few months ago we started having problems with NSS (and OSX):
-Cannot load NSS libs from applet on Firefox 4 on MacOSX
http://forums.mozillazine.org/viewtopic.php?f=38&t=2165273
-Firefox 4 bad initialize on Mac OSX 10.6.7 This cause wrong
java.library.path, u
38 matches
Mail list logo
