On 2009-07-05 05:57 PDT, Martin Paljak wrote:

> The problem is that an average users thinks like this: "password is  
> something like 'topsecret123', PIN code is something like '1234', I'm  
> asked for a password, let me see, which passwords I know that I might  
> type here..." More experienced people of course figure out what it is  
> and use the PIN code, but there are sill people who try to type  
> something that reminds a password to them when asked for it. "Please  
> enter your PIN for <token name>" is what should be used. I "fixed"  
> Firefox prompts by making the token name appear as "MARTIN PALJAK  
> (PIN1)", but the resulting "Please enter password for MARTIN PALJAK  
> (PIN1)" is still ambiguous with both password and PIN in one dialog.

I see.  Your token only accepts numeric PINS, not passwords.  That's
curious.  All the crypto tokens I have, or ever had, accepted passwords.
Dunno why it should matter.  Bits are bits.

> Right. I might be wrong here but everything worked as expected (even  
> if it was not theoretically possible when looking at source code at  
> that time) with Firefox 1.0 series, maybe even 1.5. Most probably  
> because Estonian ID card has two certificates, one with non- 
> repudiation KU and one without it. Before the NR changes it worked  
> because NR certs were unusable for Firefox/NSS. Am I right ?
> 
> Anyway, I just tried with FF 3.5 and it happily used the attached  
> certificate for web authentication. It even suggested this as the  
> first choice. Got ssl_error_unsupported_cert_alert.

The problem with NR remains that different parts of the world have
different ideas on what are the legitimate/expected uses of NR certs,
but they are all sure that their idea is the obvious only-correct way.
In your corner of the world, using NR certs for client auth is unacceptable,
but elsewhere it is acceptable.  No single policy can please everyone.

Maybe Firefox needs a "preference" so users can tell it whether to include
NR certs in lists of certs eligible for authentication use, and another
to allow NR certs to be used for email signing use.

> I think that approaching Firefox team from the NSS side AND from  
> outside would give a better result than just outsiders requesting new  
> features/changes.

The relationship between producers and consumers of software (e.g. NSS
and Firefox, respectively) is like two people with a rope.  Consumers
pull when they want to.  Producers can either be pulled along, or can
resist being pulled along, but it does no good to push on a rope.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to