[xmlsec] Use of smart-cards to perform cryptographic operations
Clizio Merli
clizio at net4u.it
Mon May 16 09:37:30 PDT 2005
Aleksey Sanin wrote:
> Well, I don't think you are correct. NSS provides "best slot"
> functions exactly for this purpose. User selects which operations
> should be performed on which slot, you configure NSS that way and
> everything magicaly works. As far as I know, this is how Mozilla
> uses NSS (you might want to ask for more details in NSS mailing list).
>
> Aleksey
>
Sorry, probably you're right, but I believe there is a disguise.
The best slot paradigm adopted by NSS (as I can read from the source
code - nss/lib/pk11wrap/pk11slot.c) is based on the slot selection bay
'mechanism-type'.
In a digital signature application, as I conceive it (and probably I'm
wrong, but don't know how) an end-user:
- first decides which slot/token to use (i.e. which smart-card to use,
and a user may have more than one card mounted on the system at a given
time),
- then selects a certificate in that smart-card (and the associated
private key),
- finally decides to sign with that certificate (i.e. with the
associated private-key, but that is unnamed from his point of view).
So at the signing time the application knows everythig, and the signing
layer should decide if the selected certificate/private-key is good for
signing or not.
So in this scenario the "best-slot" is not the slot that best adapts to
my needs, but the slot/token I (the end-user) selected before: if the
selected slot/token is good for my purposes then the signature is
performed, otherwise I expect that the signing layer returns an error of
the type 'the selected slot/token is not good for performing the
requested action'.
I already developed some signing applications (not for XML files), and
had always adopted this schema.
This was the sense of my objection.
Kind regards
Clizio
--
----------------------------
Clizio dr. Merli
C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
EUCIP Certified
Socio AIP (Associazione Informatici Professionisti)
----------------------------
More information about the xmlsec
mailing list