On 25 Sep 2015, at 10:36, helpcrypto helpcrypto <helpcry...@gmail.com> wrote:
> I hope you can find a solution for my problem, cause I can't. (And perhaps > it's impossible) > Based on my knowledge of PKCS#11 standard, the spec is exposed to a MITM > attack that steals the PIN when an application invokes C_Login against a > PK#11 library. ... > Sadly, using Pinpads is out of scope/beyond our possibilities. This won’t solve your problem directly - but may still be useful (especially as I am guessing that as you are CC-ing the Mozilla list - that you are concerned with browsers). One way we got things this to pass munster was to carefully make a threatmap/actor analysies - and then meet the various compliance & infosec expectations was by 1) dispensing with the PIN and 2) having a `what you know’ as part of the interaction through the browser (only). As this concerned access to something which was only accessible through the browser - we essentially argued that if one where able to manipulate the local browser/keyboard/system to such an extent as to be able to capture the PIN near the PKCS library/driver - one would almost most certainly be able to get `at’ whatever the chipcard & pin where protecting `in’ the browser. Dw -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto