On 01/05/2011 12:33 PM, Anders Rundgren wrote: > Matej Kurpel wrote: >> On 4. 1. 2011 22:23, Robert Relyea wrote: >>> On 01/03/2011 01:04 PM, Anders Rundgren wrote: >>>> Hi, >>>> >>>> I'm in the starting phase upgrading Firefox so that it can provision >>>> credentials in a way that that banks and governments require which >>>> among many things include E2ES (End-to-End Security) and issuer- >>>> specified PIN-codes (or just policies for user-defined dittos). >>>> >>>> The plan is mainly focusing on (enhanced) HW-tokens which NSS due >>>> to its PKCS #11 heritage doesn't support with any of the above. >>>> >>>> However, for "soft tokens" where all is running in user-space, the >>>> distinction between middleware and the container is mostly academic >>>> so it could be an idea supporting the NSS softtoken. Unfortunately, I >>>> know rather little about NSS so I wonder if the idea is feasible or >>>> not. >>>> >>>> Q1: Is is correct that you can only have a single PIN for all soft >>>> tokens? >>> You have a single pin per 'slot'. Any PKCS #11 module can implement >>> multiple slots. You can even cause the NSS softoken to have multiple >>> slots. >>> >>> I also think that there is a definition on how to do key specific pins >>> in the later versions of PKCS #11. I think it involves using a special >>> user type, with the key operation already selected in the current >>> session. I'd have to go back and look, it might also just be I'm >>> remembering the AUTHENTICATE_ALWAYS semantic. >>> >> Yes, it's CKA_ALWAYS_AUTHENTICATE attribute set to TRUE for a private >> key and, unfortunately, NSS currently does not support this. There's a long standing patch for NSS that needs love. I've reviewed a couple of versions, but none have ever been checked in. I would love it if someone who really cares (and has tokens which support this semantic to drive getting this in.
I'm still not sure that CKA_ALWAYS_AUTHENTICATE means that there is a separate pin for the key, however. I'd have to look it up in the spec. > > I don't know exactly how to interpret this... > Does the softoken support PINs or not? How do you set it from Firefox? You are asking lots in imprecise questions, so I'm not sure exactly what you are asking here. 1. Softoken does support slot pins. You can set it from firefox by setting the 'master password'. If you have multiple slots defined (which equates to multiple key/cert databases), you can use the security manager to set the pin. 2. Softoken does not support either CKA_ALWAYS_AUTHENTICATE, nor does softoken currently support multiple pins. It does not mean it couldn't in principle support these. > OTOH, it would be strange if it did since none of the "upstream" > components > like <keygen> has any support for PIN provisioning. Setting a pin on a specific key would probably also require NSS support. The CKA_ALWAYS_AUTHENTICATE patch presumes an already provisioned key. > > Most serious users of "soft token" PKI due that distributes their own > provisioning and keystore SW and that won't change because I say it > should. > It probably takes Apple or Google to get the priorities straight ;-) Someone who cares, has the infrastructure to test it, and supplies patches would also go a long way.;). bob > > anders
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
