F.Y.I.
----- Original Message -----
From: Anders Rundgren
To: [EMAIL PROTECTED]
Sent: Monday, September 01, 2008 09:30
Subject: Replacement for generateCRMFrequest ()
The following fragment of a coming XML-based provisioning scheme shows a
somewhat extended generateCRMFrequest () where a PIN can span from 1 to n keys.
The example uses a shared (synchronized) PIN for multiple keys which is
useful when you deploy PKI and OTP. In addition there is an issuer-specified
PUK as well (the encrypted value is in another section not shown for brevity).
Presumably you don't need to be an XML "guru" in order to digest the following
lines:
<CreateObject>
<PUKPolicy Format="numeric" Hidden="true" RetryLimit="3"
ValueReference="Item.1">
<PINPolicy Format="numeric" Grouping="shared" MaxLength="8"
MinLength="4" PatternRestrictions="three-in-a-row sequence" RetryLimit="3">
<KeyPair ID="Key.1" KeyUsage="universal">
<RSA KeySize="2048"/>
</KeyPair>
<KeyPair ID="Key.2" KeyUsage="piggybacked-symmetric-key">
<RSA KeySize="1024"/>
</KeyPair>
</PINPolicy>
</PUKPolicy>
</CreateObject>
The only real snag with this scheme is that it doesn't fit smart cards, but I
anticipate that mobile phones will take their role since the latter combine
HW-based cryptography (already featured in high-end Nokia phones) with powerful
processors, displays, keyboards, extensive connectivity options, and Gb storage
capabilities. Yes, it would of course work with an extended soft token
provider as well!
Now to a problem regarding implementing this in FireFox: Recent versions of
MSIE as well as Android's WebKit, have an advantage compared to Mozilla since
they in reality offer a richer development platform due to the links to .NET
and Java respectively. I hope the Mozilla team some day consider adopting JSE
or Mono as the foundation for extensibility rather than adding missing pieces
like XML validation and security to the Mozilla core because the latter may
turn out to be a dead-end.
The current implementation plan is to add this in parallel to Mozilla's
security architecture in the same way as some other Open Source groups have
added support for Information Cards to Firefox. Unfortunately it won't be able
to support TLS-client-cert-auth but there is a replacement for that as well
which is more in line with Information Cards; in fact the GUI is identical.
In case you are interested in this work, just drop me a line.
Anders Rundgren
WebPKI.org_______________________________________________
Developer mailing list
[email protected]
https://www.openoces.org/mailman/listinfo/developer
