Peter Stuge wrote: > Anders Rundgren wrote: >> What I *do* consider a problem is exposing PC/SC to browser code. > > What API would be OK? Is PKCS#11 much better?
There should (IMO) not be any crypto API exposure in untrusted browser code. Mozillas's <keygen> shows that you don't have to. Microsoft's CertEnroll is a horribly broken scheme based on API access from the browsers. It typically requires you to *lower* security settings to run at all and still it may ask the user for permission to "enumerate CSPs" which is utter nonsense for 99% of all users. Anders > > > //Peter > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel