On 3/7/09 09:30, Martin Paljak wrote: ...
2. Fix Firefox/NSS - Firefox still thinks that you should be able to authenticate to websites with certificates *without* TLS client authentication extension. Add automatic certificate selection, and you get trouble.
Yes, this makes cert login as bad as other forms of login. We desperately need some form of whitelisting in Firefox so that each site always gets presented the same cert. If browsers can remember cookies and username/passwords, then they can remember cert/domain combinations.
2a. I don't know if the defaults have changed lately, but allow the end user to define the "friendly certs" option for PKCS#11 tokens, which currently has no UI except the Javascript loading function which got removed from UI land and moved to XPI land in FF 3.5. There are tokens that require this feature, but some PKCS#11 providers like OpenSC which support many different tokens have no easy way to work in both ways.
As an aside, does anyone have any stats about how many people use these non-Firefox security devices? It is somewhat clear that most end-users can't use these things, only corporates can. So Mozilla priority for these things might be lacking.
Whereas, end users can use browser-embedded certificates.
3. For Firefox only: provide a useful JS interface to allow access to keys which are not used for web authentication but present under "my certificates" for real-life online signing procedures. I know that here the vision of a polished solution differs between people but I also second Anders that there are many (tens?) custom built modules here in EU which re-implement at least the minimal part: signing a hash.
Are these easy-to-deploy open source plugins of some form?
GUI requirements (like displaying the title of a document, displaying a legal warning, displaying the whole document to be signed) could be worked upon in a common way once the basics are agreed upon to be useful.
Right, digital signing would be a good application. But can't be done properly without the browsers accepting a common protocol.
For now, I think the reason why there is so little interest for this field is that it is really hard to market such features. The reason why Apple has very low prirorities for smart card related fixes is that it is really hard for Steve to demo this on the big stage. Same goes with Firefox. And "those who really want it, can in theory achieve their goals with extras and extensions" works as well.
Concur. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto