Re: [opensc-devel] Java and pkcs11

Wed, 03 Aug 2011 10:41:01 -0700 

2011/8/3 NdK <ndk.cla...@gmail.com>:
> On 03/08/2011 16:16, Douglas E. Engert wrote:
>> You say you are using FF, so have you looked at JSS?
>> http://www.mozilla.org/projects/security/pki/jss/
How can you say so, if JSS is not recommended/supported for Java Applets?
(as said in the infamous bug
https://bugzilla.mozilla.org/show_bug.cgi?id=654939)
Anyway, AFAIK, using JSS doesnt avoid using sunPKCS11.
JSS avoids using smartcardio to list modules using a conf file, and
gives direct access to a PKCS#11 module

>> On Windows, you could also use the Windows CAPI via the SunMSCAPI,
>> and OpenSC on Windows can still be used via the OpenSC mindriver.
> Still proprietary solutions.
> And what about smartphones? "Standard" Java is more likely to be adapted
> than proprietary interfaces.
AFAIK, Java applet should attack the system keystore no matter how.
Having a cert on keystore (loaded from smartcard) is done using CSP or
CNG. At least, thats the way we do it.

>> Here are 3 others: 357025, 613496, 613507, These deal with selecting
>> the "best slot", supporting CK_ALWAYS_AUTHENTICATE if needed, and
>> cutting down on searching for any object when it should be searching for
>> a cert only, which may be your 150 times.
My 150 times its a vendor_defined object (CKO_VENDOR_DEFINED), and its
a "bad" implementation of NSS/PSM (i really dont know the internals).

> Well... The user should be responsible for selecting the "best" slot.
> That IMHO shouldn't be a "slot" in the first place, but just a
> certificate. The browser should only filter certs so that only
> acceptable ones are proposed to the user.
Thats what actually is done, isnt it? At least, after the pin request,
a window with certs is shown to select one...

> If an object isn't accessible ('cause it's marked private), it should
> user's responsibility to login w/ the correct credentials first.
The NSS should detect the flag, and if needed, call C_Login or do the
operations needed. Sometimes the object is not extractable from the
smartcard, so it depends.

Maybe the PIN should be cached cause sometimes card can be reset
between calls, and that loose the security access.
Thats the reason why spanish ID its requesting the PIN all the time(?)
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to