2011/8/3 NdK <ndk.cla...@gmail.com>: > Il 03/08/2011 09:32, helpcrypto helpcrypto ha scritto: > I need to implement a multiuser web password manager that allows users > to group-share passwords (so Linux sysadmins don't have access to > Windows passwords -- yes, I know AD, it's just an example). > Server NEVER knows plaintext passwords, so even if it gets hacked no > sensitive information is disclosed. > Passwords must not be displayed, just gets copied to the clipboard (so I > can access firewall password even if I'm in a lab with a dozen users > behind my shoulders). As i understand, you want to develop like a wallte, where password stored on server (crypted) are copied to clipboard (altough a simply CTRL+V will display it), to let the user authenticate in toher services. Right? You need applets cause the access to this wallet is using smartcard? certificate? I agree, its the most "homogenic" way of doint it cross-browser
> Known bug in FF, IIUC. When you insert the card (or load opensc-pkcs11) > it C_Login to every slot even if you're not accessing certs. So: > 1) it asks for EVERY pin (even signature ones) Whats IIUC means? With our company card+spanish ID (dnie) on different readers, while doing client auth, it ask for 2 pins (one for each slot), to retrieve ALL the certs from all the slots/tokens. That, let FF to show a windows to select all possible certs. Is this the scenario you are pointing? Can you give me the bugzilla number? (From my experience, NSS or the part responsible from retrieving the certs its not very efficient...for example, it request like 150 times for vendor objects on my token, altough the first time i say "i have no one") I think we should exchange experiences :P > 2) while opensc-pkcs11 is loaded in FF, thunderbird (nor any other > PKCS11 'client') doesn't "see" the card Thats a opensc desired/undesired behaviour. If OpenSC did that for any reason, you could ask here (or martin). But i can tell you, its not FF the one who locks, cause my smartcard can be used and viewed by many at the same time. (Thanks god PCSC's BeginTransaction and EndTransaction methods) > Anyway, auth using 'internal' method is possible only on https sites > (unavailable on shared-hosting plans, and it's now giving me headaches > since I need to use SNI, that's not supported by IE on XP). No idea of what "internal" means, SNI, or what are you taliking about. >> Spanish tax ministry dont use Applets (use native componentes), >> which doesnt require the user to have java. > But, IIUC, that restricts use to only "supported" browser/platform -- I > have labs w/ Linux machines, workstations w/ Windows XP (some w/ only > IE, some w/ FF), quite a lot of Macs... The "minimum common denominator" > can be Java w/ a minimum of must-have native libs (like pcsc-lite and > ccid), even if it could be even better if those aren't needed. We have that 3 systems, and support for 3 major browser on each Firefox/Chrome/IE/Safari. I thinks thats neough for end users...come on, dont make me support "lynx" please. BTW, dont expect a friendly environment using Java on OSX, this guys hate them. Again, similar scenario, maybe we could exchange more info. >> https://www.agenciatributaria.gob.es/AEAT.sede/Inicio/Inicio.shtml >> Spanish ecofirma (also from gov) uses an applet that downloads a >> jnlp that install everything needed on your computer >> http://oficinavirtual.mityc.es/javawebstart/soc_info/ecofirma/index.html > This assumes that the user: > - can install sw Copying files its not always needed, but access to the system its. Signed applets will let you access the system, and you could whatever you want. > - usually uses only one machine Not true...it just "extract and run", even better that installing a client software. There are many ways to allow this without much headhache...and clean the temp files before shutting down :P I Agree its slower, but anyone could use it anywhere (desktop computer) > Well, I'm using Aventra cards, so they're both PKCS15 and cryptographic :) > I thougt you can't have "legally strong" signature unless you're using a > crypto card (at least here in Italy). According to our law (Spain), to have "the higher level of recognized sign, equivalent (and even more) to a hand made sign, you need a secure signing device (keypair generated inside the card)". This, for example, doesnt let the users export the key to a pkcs#12 file that could compromise the key. ---MAYBE IM WRONG ON THIS, so anyone can correct me and, please, do it if im wrong--- Anyway, the sing has legal value and its recognized as an advanced sign, the different can be resumed as: In case of trial, -recognized signatures (created using a secure signing device) are truthworthy unless the the opposite is proved ("defense should prove it") -advances signatures arent truthworthy unless can be proved ("prosecutor should prove it") > Sometimes I can't understand'em... Like for the support of DNS > extensions (commonly used by voip, jabber, Active Directory...) to tell > on which port is https listening... IIRC it's about 10 years that a > patch is available but never got adopted! Open source comunitties, my friend :) > If only SunPKCS11 would be more versatile... Maybe the simplest thing is > to get its source and hack it, so that it: > - supports plain on-card keypairs > - only asks PIN when needed AFAIK, both can be done. > - handles multiple slots What you mean with this? > - handles certs "outside a slot" (that is: that are not PIN protected) Add them to NSS (can have PIN protection), use a PKCS#12(can also have PIN protection)... Again, move this conversation to private if you consider so _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
