On 2009-07-05 05:57 PDT, Martin Paljak wrote: > The problem is that an average users thinks like this: "password is > something like 'topsecret123', PIN code is something like '1234', I'm > asked for a password, let me see, which passwords I know that I might > type here..." More experienced people of course figure out what it is > and use the PIN code, but there are sill people who try to type > something that reminds a password to them when asked for it. "Please > enter your PIN for <token name>" is what should be used. I "fixed" > Firefox prompts by making the token name appear as "MARTIN PALJAK > (PIN1)", but the resulting "Please enter password for MARTIN PALJAK > (PIN1)" is still ambiguous with both password and PIN in one dialog.
I see. Your token only accepts numeric PINS, not passwords. That's curious. All the crypto tokens I have, or ever had, accepted passwords. Dunno why it should matter. Bits are bits. > Right. I might be wrong here but everything worked as expected (even > if it was not theoretically possible when looking at source code at > that time) with Firefox 1.0 series, maybe even 1.5. Most probably > because Estonian ID card has two certificates, one with non- > repudiation KU and one without it. Before the NR changes it worked > because NR certs were unusable for Firefox/NSS. Am I right ? > > Anyway, I just tried with FF 3.5 and it happily used the attached > certificate for web authentication. It even suggested this as the > first choice. Got ssl_error_unsupported_cert_alert. The problem with NR remains that different parts of the world have different ideas on what are the legitimate/expected uses of NR certs, but they are all sure that their idea is the obvious only-correct way. In your corner of the world, using NR certs for client auth is unacceptable, but elsewhere it is acceptable. No single policy can please everyone. Maybe Firefox needs a "preference" so users can tell it whether to include NR certs in lists of certs eligible for authentication use, and another to allow NR certs to be used for email signing use. > I think that approaching Firefox team from the NSS side AND from > outside would give a better result than just outsiders requesting new > features/changes. The relationship between producers and consumers of software (e.g. NSS and Firefox, respectively) is like two people with a rope. Consumers pull when they want to. Producers can either be pulled along, or can resist being pulled along, but it does no good to push on a rope. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
