On 06.07.2009, at 1:38, Nelson B Bolyard wrote:
On 2009-07-05 05:57 PDT, Martin Paljak wrote:
The problem is that an average users thinks like this: "password is
something like 'topsecret123', PIN code is something like '1234', I'm
asked for a password, let me see, which passwords I know that I might
type here..."
I see. Your token only accepts numeric PINS, not passwords. That's
curious. All the crypto tokens I have, or ever had, accepted
passwords.
Dunno why it should matter. Bits are bits.
It accepts ascii-numeric pins, but it is a PIN (with numbers) for
several reasons:
1. People know PIN codes and use them on ATMs => cards have PINs which
are made of numbers
2. I use pinpad readers for obvious reasons, which only have numbers
3. You are not married to your own computer, you might end up
somewhere else where the only option is to use a pinpad (like e-
service computers in local bank offices)
4. "Software legacy" - the same way it is sometimes hard to introduce
hardware cryptography to existing pieces of software, because it is
built following the "keys are in files which might need a password to
open". Same with "chip and pin" software - PIN is a numeric thing for
the masses, only in strange setups you can use something else..
Anyway, I just tried with FF 3.5 and it happily used the attached
certificate for web authentication. It even suggested this as the
first choice. Got ssl_error_unsupported_cert_alert.
The problem with NR remains that different parts of the world have
different ideas on what are the legitimate/expected uses of NR certs,
but they are all sure that their idea is the obvious only-correct way.
In your corner of the world, using NR certs for client auth is
unacceptable,
but elsewhere it is acceptable. No single policy can please everyone.
Maybe Firefox needs a "preference" so users can tell it whether to
include
NR certs in lists of certs eligible for authentication use, and
another
to allow NR certs to be used for email signing use.
Right, that's why I've chosen workarounds and don't expect Firefox to
handle more than just the bare minimal it has to - one certificate for
SSL authentication. The "universal" token PKCS#11 module (which
exports everything on the card) just does not play well with all others
.
That is also the reason why things like signature plugins have been
and will be "the thing" - because it is almost impossible to get it
right, at lest now.
I think that approaching Firefox team from the NSS side AND from
outside would give a better result than just outsiders requesting new
features/changes.
The relationship between producers and consumers of software (e.g. NSS
and Firefox, respectively) is like two people with a rope. Consumers
pull when they want to. Producers can either be pulled along, or can
resist being pulled along, but it does no good to push on a rope.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
