PIN pad and SCardControl
Karsten Ohme
I have ported the PKCS#11 module from the MuscleCard project to support
my card terminal which has a pin pad and display. So I can enter the PIN
with it. I use for the PC/SC command SCardControl and the CT-BCS
standard. A special parameter for the SCardControl function is
necessary. I believe this parameter is proprietary for each reader. Is
this true? Is there a possibility to support all readers with a pin pad
and display?
Bye, Karsten
Nelson B
If your question is about the SCardControl command, or musclecard, this
newsgroup is not the best place to ask.
If your question is about mozilla's support of PKCS11 modules for
devices with their own PIN pads, the answer is that the PKCS11 module
must set the CKF_PROTECTED_AUTHENTICATION_PATH flag attribute in the
CK_TOKEN_INFO structure. When mozilla prompts for a password, enter
an empty password, and then use the pin pad instead.
>
> Bye, Karsten
--
Nelson B
Nelson B
> If your question is about mozilla's support of PKCS11 modules for
> devices with their own PIN pads, the answer is that the PKCS11 module
> must set the CKF_PROTECTED_AUTHENTICATION_PATH flag attribute in the
> CK_TOKEN_INFO structure. When mozilla prompts for a password, enter
> an empty password, and then use the pin pad instead.
I may be misremembering the exact sequence there.
Perhaps you enter a dummy password instead of an empty one.
Perhaps you enter the PIN on the PIN pad first, when you see the
password prompt, and then enter the dummy/empty password into mozilla.
You'll have to play with it a bit. Others have reported getting it
to work in the past, so I think you can too.
--
Nelson B
Chris
> If your question is about mozilla's support of PKCS11 modules for
> devices with their own PIN pads, the answer is that the PKCS11 module
> must set the CKF_PROTECTED_AUTHENTICATION_PATH flag attribute in the
> CK_TOKEN_INFO structure. When mozilla prompts for a password, enter
> an empty password, and then use the pin pad instead.
I addressed this issue over 1 year ago in this group.Mozilla/Firefox
still prompts me using a PIN input dialog even though this flag is set. :( Even
good old lotus notes does not prompt me with a input dialog when having the above
flag set.
Seems that no one is working on PSM anymore? Are there any plans
to correct this behaviour in the near future? Why does mozilla foundation
let the psm part of its products down?
Regards
Christoph
Chris
> If your question is about mozilla's support of PKCS11 modules for
> devices with their own PIN pads, the answer is that the PKCS11 module
> must set the CKF_PROTECTED_AUTHENTICATION_PATH flag attribute in the
> CK_TOKEN_INFO structure. When mozilla prompts for a password, enter
> an empty password, and then use the pin pad instead.
I addressed this issue nearly over 1 year ago in this group.Mozilla/Firefox
Jean-Marc Desperrier
> Seems that no one is working on PSM anymore?
Yes.
> Are there any plans
> to correct this behaviour in the near future?
Yes.
See http://weblogs.mozillazine.org/gerv/archives/007555.html
Nelson B
> Nelson B wrote:
>
>>If your question is about mozilla's support of PKCS11 modules for
>>devices with their own PIN pads, the answer is that the PKCS11 module
>>must set the CKF_PROTECTED_AUTHENTICATION_PATH flag attribute in the
>>CK_TOKEN_INFO structure. When mozilla prompts for a password, enter
>>an empty password, and then use the pin pad instead.
>
>
> I addressed this issue nearly over 1 year ago in this group.
Yup. At that time it was true (as it still is) that NSS properly handled
the flag mentioned above, and already provided a function through which
applications (like mozilla) could make use of it. It was also true (and
still is) that PSM made no use of that function. We even added code to
several NSS commands to exemplify the use of this feature. But no joy
with PSM.
> Mozilla/Firefox
> still prompts me using a PIN input dialog even though this flag is set. :( Even
> good old lotus notes does not prompt me with a input dialog when having the above
> flag set.
>
> Seems that no one is working on PSM anymore?
Correct. About 2 years now, IIRC.
> Are there any plans to correct this behaviour in the near future?
There are one or two individuals who are considering contributing
some work to PSM. I am not aware of any other "plans", certainly not
aware of any plans by the mozilla foundation.
IIRC, PSM has not adapted to use even one new API feature, nor to fix
even one bad error dialog, in about two years. Consequently, the focus
of the NSS team has (IMO) visibly shifted away from the browser/email
products towards other (third party) products that use NSS. Why develop
new features for mozilla clients if they simply won't ever use them?
> Why does mozilla foundation let the psm part of its products down?
I think that's a great question for you to put publicly to the
mozilla foundation. You'll need to do so in a newsgroup that they
read. They don't read this one.
<soapbox>
IMO, it comes down to this: mozilla is mostly a volunteer organization.
Most of the developers who contribute to it receive *NO* pay to do so.
MoFo cannot "tell" contributing developers what to work on, except for
those very few developers that MoFo directly employs and pays.
Working on buttons, icons, menus, and other general UI stuff is
exciting to most contributors, especially if it appears in the app's
"main" window. Working on security dialogs and preferences is not.
Mozilla has enjoyed a recent market share increase due to the media's
perception that mozilla cared more for security than did MS. However,
IMO, that perception of better security has been mostly due to an
absence of security-poor features (e.g. ActiveX) that are found in IE
but not in moz, and NOT due to a greater investment in security-specific
code in the mozilla products.
However, the recent IDN-punycode issue showed that even mozilla products
are not immune to the addition of features whose security implications
have not been thought through. Appears to me that moz/ff is no longer
the media-darling that it recently was, largely due to this issue.
Sadly, this situation (lacking security development investment)
seems inherent to all-volunteer development projects, except for
those projects that are specifically about security.
IMO, unless and until MoFo can hire someone for PSM or some other
company decides to staff PSM development (as various companies now
staff NSS developement), the PSM situation will likely not change.
PSM just isn't sexy enough to attract developers.
</soapbox>
> Regards
>
> Chris
--
Nelson B
Frank Hecker
> IMO, unless and until MoFo can hire someone for PSM or some other
> company decides to staff PSM development (as various companies now
> staff NSS developement), the PSM situation will likely not change.
> PSM just isn't sexy enough to attract developers.
mozilla.org staff (through Gerv Markham, who is a member of staff but
not a Mozilla Foundation employee) has already issued a call for people
interested in working on PSM:
http://weblogs.mozillazine.org/gerv/archives/007555.html
I agree with Nelson that it would be helpful if the MF or someone else
would actually pay someone to do PSM development and related work (e.g.,
on NSS stuff of specific interest to Mozilla). Gerv's post references
two people, Chris Hoffmann and Dan Veditz, who are in fact MF employees
and who would be good people to contact about this topic; their email
addresses are in the blog post.
For people who do contact the MF, I suggest that you provide specific
examples of work you'd like to see done in PSM, and why, and also
provide pointers to any people you know who might be willing to
undertake paid PSM development either on a full-time or contract basis.
This is really a question of supply and demand: What's the level of
demand for PSM improvements, and what's the supply of people able and
willing to do PSM development (including paid development)? If the
demand is high enough, and there are people willing to do the work, then
the MF can judge whether it's worth paying them to do it.
Frank
--
Frank Hecker
hec...@hecker.org