On Thu, Jul 2, 2009 at 1:06 PM, Anders Rundgren<anders.rundg...@telia.com> wrote: > PKCS #10? I guess you really meant PKCS #11. > > I'm not aware of any such profile. There is smart card profile > but I doubt it has much to do with PKCS #11, it is rather about > 7816.
You're right, PKCS#11. http://www.usb.org/developers/docs/EH_MR_rev1.pdf But what is "7861"? > Anyway, the way Firefox is linked to PKCS #11 is probably OK > in Linux-land. > > However, in Windows-land where 80% of all users live it doesn't fill > the bill. If it's a standard component, with a standard interface, then there's no reason at all for the OS not to support it. I just don't have any USB devices which support that profile to test. > BTW, we still don't have a credible system for *remote* provisioning of > smart cards on any OS, so we shouldn't expect too much progress here > because PKCS #11 can't do that job actually! There are multiple reasons why we can't do that job: 1) There is no "credible remote provisioning" because there's no "credible third-party manufacturer" or "third-party trusted authority" that banks will allow. 2) There is no "credible remote provisioning" protocol. 3) There is no desire at/for the bank to allow smart-card login, because there are alternatives that are more useful. (For example, Bank of America will text my celphone an RSA SecurID-like number whenever I try to log into my account. This shows two separate types of authentication: something I know and something I have. Unless both the phone and the network are both tapped and redirected by Mallory, it's unlikely to be a problem. And, let's face it: the US government has access to my financial records anyway.) > Kyle Hamilton wrote: >> >> USB does actually have a PKCS#10 device reader profile. If you were >> to extend that by adding a generic "oh, it also has a device in a slot >> that performs these functions" layer that was exposed through the >> device-reader profile, it would be universal -- and universally >> implemented in the platform itself. >> >> -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto