Nelson B wrote:
If your question is about mozilla's support of PKCS11 modules for devices with their own PIN pads, the answer is that the PKCS11 module must set the CKF_PROTECTED_AUTHENTICATION_PATH flag attribute in the CK_TOKEN_INFO structure. When mozilla prompts for a password, enter an empty password, and then use the pin pad instead.
I addressed this issue nearly over 1 year ago in this group.
Yup. At that time it was true (as it still is) that NSS properly handled the flag mentioned above, and already provided a function through which applications (like mozilla) could make use of it. It was also true (and still is) that PSM made no use of that function. We even added code to several NSS commands to exemplify the use of this feature. But no joy with PSM.
> Mozilla/Firefox
still prompts me using a PIN input dialog even though this flag is set. :( Even good old lotus notes does not prompt me with a input dialog when having the above flag set.
Seems that no one is working on PSM anymore?
Correct. About 2 years now, IIRC.
> Are there any plans to correct this behaviour in the near future?
There are one or two individuals who are considering contributing some work to PSM. I am not aware of any other "plans", certainly not aware of any plans by the mozilla foundation.
IIRC, PSM has not adapted to use even one new API feature, nor to fix even one bad error dialog, in about two years. Consequently, the focus of the NSS team has (IMO) visibly shifted away from the browser/email products towards other (third party) products that use NSS. Why develop new features for mozilla clients if they simply won't ever use them?
> Why does mozilla foundation let the psm part of its products down?
I think that's a great question for you to put publicly to the mozilla foundation. You'll need to do so in a newsgroup that they read. They don't read this one.
<soapbox> IMO, it comes down to this: mozilla is mostly a volunteer organization. Most of the developers who contribute to it receive *NO* pay to do so. MoFo cannot "tell" contributing developers what to work on, except for those very few developers that MoFo directly employs and pays. Working on buttons, icons, menus, and other general UI stuff is exciting to most contributors, especially if it appears in the app's "main" window. Working on security dialogs and preferences is not.
Mozilla has enjoyed a recent market share increase due to the media's perception that mozilla cared more for security than did MS. However, IMO, that perception of better security has been mostly due to an absence of security-poor features (e.g. ActiveX) that are found in IE but not in moz, and NOT due to a greater investment in security-specific code in the mozilla products.
However, the recent IDN-punycode issue showed that even mozilla products are not immune to the addition of features whose security implications have not been thought through. Appears to me that moz/ff is no longer the media-darling that it recently was, largely due to this issue.
Sadly, this situation (lacking security development investment) seems inherent to all-volunteer development projects, except for those projects that are specifically about security.
IMO, unless and until MoFo can hire someone for PSM or some other company decides to staff PSM development (as various companies now staff NSS developement), the PSM situation will likely not change. PSM just isn't sexy enough to attract developers. </soapbox>
Regards
Chris
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
