I don't think PKCS #11 fills the role as universal crypto system for the mass market since there is no registry like its competitors have. Installing Security Devices (including finding out the path to them), is way beyond what a consumer can do.
There is no UI that can fix a broken or incomplete architecture. Anders ----- Original Message ----- From: "Eddy Nigg" <eddy_n...@startcom.org> Newsgroups: mozilla.dev.tech.crypto To: <dev-tech-crypto@lists.mozilla.org> Sent: Sunday, March 22, 2009 20:07 Subject: Re: client certificates unusable? On 03/22/2009 07:58 PM, Nelson B Bolyard: > Each product has one way to install PKCS#11 modules. All modules are > installed in that product by that method, whatever it is. In Firefox, > you go to the Options dialog (exact method varies by platform, on Windows > you find Options in the Tools menu) select the "Advanced" tab, and the > "Encryption" sub-tab, then click "Security Devices". This brings up the > "Device Manager" dialog which lists the PKCS#11 modules you have installed, > and the "devices" (called "tokens" in PKCS#11 speak) or "slots" (for > pluggable tokens) that are managed by each module. In that dialog, the > "Load" button brings up a misnamed "Load PKCS#11 Device" (should be module) > dialog. There, you type in the name of the shared library (DLL, Dylib, or > .so) which is the PKCS#11 module, and you enter a name by which you want to > remember that module (it will be displayed in the device manager dialog), > and click OK. Voila. > This long explanation shows what could be improved. I liked the idea of scanning for PKCS11 modules, but there certainly must be an easier way than the above. Hope Johnathan takes note on this one. > As it happens, I do not believe that UI issues for client auth are the BIG > stopper of client auth. Sure, I agree that UI could be improved, but > before you get to experience those UI issues, you must actually have a cert > and a server that you think might accept that cert as authenticating you. > Today, few such servers exist. I think the absence of a single uniform > user ID space is actually a greater impediment than UI. That's why I find > Eddy's idea (if I understand it right) of using OpenID identities as that > single space, and using certs to authenticate them, is so intriguing. > > When we get to the point where there are more users trying to use certs, > and the average common Joe FF User is whining about cert UI in the > ordinary FF user groups (rather than here in these esoteric back waters) > THEN the FF UI folks will sit up and take notice. Unfortunately we can't do it all alone by ourselves and those who I have approached - which could make a difference have so far ignored it. I have some quite concrete papers for a raw plan on research and newly design for this space. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
