Eddy Nigg wrote: >> A guesstimate is that less than 1 out of 10 000 smart cards actually >> are provisioned with <keygen>.
> Can you backup your statement with facts please? I wrote "guesstimate". However, if we exclude a limited number of security nerds (that mainly produce cards for themselves), and concentrate on REAL smart card deployments; you got about a million eID cards in Estonia, None of these were provisioned using <keygen>; they were presumably produced in some kind of card factory. For enterprises most of us know that Windows is the de-facto standard so even if they had actually used end-user provisioning, it would have been through Xenroll and CSPs rather than with <keygen> and PKCS #11. But why in the world would anybody bother with <keygen>, Xenroll, or generateCRMFRequest, for provisioning smart cards when: - you still have to do 80% of the gory stuff (formatting, PIN, PUK) in a Windows-only proprieterary card management application? - all bets are off regarding where keys actually were created? That is, <keygen> is left for "soft certificates" that by default are not even PIN-protected. In my vocabulary that spells "insignificant". Anders ----- Original Message ----- From: "Eddy Nigg" <eddy_n...@startcom.org> Newsgroups: mozilla.dev.tech.crypto To: <dev-tech-crypto@lists.mozilla.org> Sent: Thursday, June 04, 2009 20:52 Subject: Re: Smart cards and the <keygen> element On 06/04/2009 09:40 PM, Anders Rundgren: > A guesstimate is that less than 1 out of 10 000 smart cards actually > are provisioned with <keygen>. Can you backup your statement with facts please? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto