On 5. 1. 2011 21:33, Anders Rundgren wrote:
Matej Kurpel wrote:
On 4. 1. 2011 22:23, Robert Relyea wrote:
On 01/03/2011 01:04 PM, Anders Rundgren wrote:
Hi,
I'm in the starting phase upgrading Firefox so that it can provision
credentials in a way that that banks and governments require which
among many things include E2ES (End-to-End Security) and issuer-
specified PIN-codes (or just policies for user-defined dittos).
The plan is mainly focusing on (enhanced) HW-tokens which NSS due
to its PKCS #11 heritage doesn't support with any of the above.
However, for "soft tokens" where all is running in user-space, the
distinction between middleware and the container is mostly academic
so it could be an idea supporting the NSS softtoken. Unfortunately, I
know rather little about NSS so I wonder if the idea is feasible or
not.
Q1: Is is correct that you can only have a single PIN for all soft
tokens?
You have a single pin per 'slot'. Any PKCS #11 module can implement
multiple slots. You can even cause the NSS softoken to have multiple
slots.
I also think that there is a definition on how to do key specific pins
in the later versions of PKCS #11. I think it involves using a special
user type, with the key operation already selected in the current
session. I'd have to go back and look, it might also just be I'm
remembering the AUTHENTICATE_ALWAYS semantic.
Yes, it's CKA_ALWAYS_AUTHENTICATE attribute set to TRUE for a private
key and, unfortunately, NSS currently does not support this.
I don't know exactly how to interpret this...
Does the softoken support PINs or not?
From what I know, it does not. It only supports a token-wide PIN (or
Password). Try opening up your Security Devices manager in Firefox or
Thunderbird, select Software security device from the left pane and as
you can see, you can only change a password for the whole token. (I
don't really know if there is one or if it's taken into account... I
have never used the software security device explicitly). Maybe someone
another in this list could shed some light on this...
How do you set it from Firefox?
OTOH, it would be strange if it did since none of the "upstream"
components
like <keygen> has any support for PIN provisioning.
Most serious users of "soft token" PKI due that distributes their own
provisioning and keystore SW and that won't change because I say it
should.
It probably takes Apple or Google to get the priorities straight ;-)
anders
Q2: Is it possible to add arbitrary data attributes to a key? I need
such
in order to support credential logotypes and information cards.
If these general token types, I suggest getting them added to the PKCS
#11 working group.
PKCS #11 also allows vendor defined attributes and objects. We use
these
to supply NSS specific operations and objects, that aren't generally
interesting to the PKCS #11 group as a whole. If the ideas are
generally
usable by a myriad of tokens, then trying to get them defined in the
working group is best.
CKA_VENDOR_SPECIFIC (0x8000000) and above. For example, NSS uses some
vendor-specific attributes such as the value of CKO_NETSCAPE_CRL for
CKA_CLASS attribute. You can implement such vendor-specific attribute
as well.
There is also an already define generic 'data' object.
If these objects aren't really attached to the key , then it's own
object type would make more sense.
bob
thanx,
Anders
M. Kurpel
M. Kurpel
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
