On 2009-07-03 00:30 PDT, Martin Paljak wrote: > Some constructive suggestions; mostly for Firefox: > > 1. Use platform API-s where appropriate: cryptoapi (and basecsp via > this) on windows; cdsa/keychain on macosx.
Regardless of who does it, this triples/quadruples the amount of work to be done and code to be supported. Google did that. I'm not opposed to it, if Mozilla wants to fund it. > FYI, to make sense to users of eID cards currently one has to embed > the word PIN into the token description as well, so that the prompt > that Firefox displays would make sense: "Please enter password for: > MARTIN PALJAK (PIN1)" GUI hints would be useful... Please elaborate. > 2. Fix Firefox/NSS - Firefox still thinks that you should be able to > authenticate to websites with certificates *without* TLS client > authentication extension. Add automatic certificate selection, and you > get trouble. Extended Key Usages do not ADD to a cert's capabilities. They take way from it. A cert with no EKU extension is valid for all EKUsages (with very few exceptions - only one comes to mind). But it's certainly true that if Firefox will take a cert with an EKU extension that does NOT include TLS client auth and use that for TLS client auth, that's a bug, pure and simple. File a bug on it if you have a working example. > 2a. I don't know if the defaults have changed lately, but allow the > end user to define the "friendly certs" option for PKCS#11 tokens, > which currently has no UI except the Javascript loading function which > got removed from UI land and moved to XPI land in FF 3.5. There are > tokens that require this feature, but some PKCS#11 providers like > OpenSC which support many different tokens have no easy way to work in > both ways. I agree that one way to fix this is to provide some UI by which the PKCS#11 module can be configured as friendly when it is added. but I think we can probably just figure it out with s simple run time test, and then ignore the configuration bit. That's a better solution, if we can make it work. Please file an RFE about this. > 3. For Firefox only: provide a useful JS interface to allow access to > keys which are not used for web authentication but present under "my > certificates" for real-life online signing procedures. Are you aware of crypto.signtext? (Please, No ranting!) If you are aware of it, please write specifics about what else you need that's not there. It produces a full CMS (PKCS#7) signature. Be aware that any proposed signature method that doesn't show the user what he's signing will probably not be allowed. So, a method to sign a bare hash, without knowing where it came from is a non-starter. A method to take data and hash it, and then sign that could be made to work, but that's what crypto.signtext does. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
