Nelson, I don't have any success story to bring unfortunately.
However, I feel that there is a problem with PKCS #11 and the associated generateCRMFrequest and that is that issuers have (as far as I can see) no information that the keys actually reside in a secure container. This makes parties like employers, banks and governments reluctant abandon their current schemes using physical distribution of keys in known containers. For managing your own set of servers this presumably works perfect but that is maybe not a killer application. IMO, it is a bit sad that vendors like Scandisk haven't added PKI capability to their stuff since just about every PC user have an USB memory. I believe key protection against software attacks would be OK for the majority; physical attacks and electrical attacks like betokens can handle is still a bit esoteric seems a bit over the top at least compared to the current aid/pad schemes. Anders ----- Original Message ----- From: "Nelson Bolyard" <> Newsgroups: mozilla.dev.tech.crypto To: <[email protected]> Sent: Friday, August 31, 2007 08:02 Subject: Personal crypto device (or smart card) success stories? NSS, the crypto software used in mozilla browsers and email clients, was one of the first adopters of PKCS#11, the interface standard for crypto devices like smart cards and USB crypto fobs. Network client products that use NSS have been able to work with a large variety of crypto devices from various vendors for a decade now. But for much of that time, it was not economical for individual users to get their own crypto devices. In quantities of 10,000, the prices were reasonable, but if you only wanted to buy one or two, the prices were well over USD $100 each, for a long time. As an NSS developer, I was frustrated that crypto devices were economical for my employer, but not for me personally. I had the use of a crypto device provided by my employer, but the keys in it were the property of my employer, and they could legally take them whenever they wanted. I wanted a device of my own, that I owned, and that on-one had the right to use, except me. But it just wasn't economical. Now that seems to have changed. Good USB crypto devices can be had for less than USD $50, and really good ones for well below $100. Today, I'm using an Aladdin eToken Pro USB device with enough memory to store all the certs and private keys I'll need for a few years to come. It works very well with Mozilla, FireFox, Thunderbird, SeaMonkey, etc. I'm using it with Aladdin's software on Windows, but Linux drivers are also available through OpenSC. I bought mine from startcom.org. I'm very pleased with it. It's mine, all mine! :-) So, I'm wondering. Are others on this list also using their own personal smart cards or crypto devices (not their employers, but theirs personally)? Are they working well for you with mozilla products? With other products? Would you recommend the product you use to others? What did it cost you? On what platforms is is supported? Obviously, I don't want to turn this into a big advertising opportunity, but I figure if people are telling their own personal success stories about products they personally bought (like I did), we shouldn't go too far off into advertising land. /Nelson _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
