NSS SoftToken Capabilities
Anders Rundgren
I'm in the starting phase upgrading Firefox so that it can provision
credentials in a way that that banks and governments require which
among many things include E2ES (End-to-End Security) and issuer-
specified PIN-codes (or just policies for user-defined dittos).
The plan is mainly focusing on (enhanced) HW-tokens which NSS due
to its PKCS #11 heritage doesn't support with any of the above.
However, for "soft tokens" where all is running in user-space, the
distinction between middleware and the container is mostly academic
so it could be an idea supporting the NSS softtoken. Unfortunately, I
know rather little about NSS so I wonder if the idea is feasible or not.
Q1: Is is correct that you can only have a single PIN for all soft tokens?
Q2: Is it possible to add arbitrary data attributes to a key? I need such
in order to support credential logotypes and information cards.
thanx,
Anders
Robert Relyea
> Hi,
>
> I'm in the starting phase upgrading Firefox so that it can provision
> credentials in a way that that banks and governments require which
> among many things include E2ES (End-to-End Security) and issuer-
> specified PIN-codes (or just policies for user-defined dittos).
>
> The plan is mainly focusing on (enhanced) HW-tokens which NSS due
> to its PKCS #11 heritage doesn't support with any of the above.
>
> However, for "soft tokens" where all is running in user-space, the
> distinction between middleware and the container is mostly academic
> so it could be an idea supporting the NSS softtoken. Unfortunately, I
> know rather little about NSS so I wonder if the idea is feasible or not.
>
> Q1: Is is correct that you can only have a single PIN for all soft
> tokens?
multiple slots. You can even cause the NSS softoken to have multiple slots.
I also think that there is a definition on how to do key specific pins
in the later versions of PKCS #11. I think it involves using a special
user type, with the key operation already selected in the current
session. I'd have to go back and look, it might also just be I'm
remembering the AUTHENTICATE_ALWAYS semantic.
>
> Q2: Is it possible to add arbitrary data attributes to a key? I need
> such
> in order to support credential logotypes and information cards.
If these general token types, I suggest getting them added to the PKCS
#11 working group.
PKCS #11 also allows vendor defined attributes and objects. We use these
to supply NSS specific operations and objects, that aren't generally
interesting to the PKCS #11 group as a whole. If the ideas are generally
usable by a myriad of tokens, then trying to get them defined in the
working group is best.
There is also an already define generic 'data' object.
If these objects aren't really attached to the key , then it's own
object type would make more sense.
bob
>
> thanx,
> Anders
Matej Kurpel
> On 01/03/2011 01:04 PM, Anders Rundgren wrote:
>> Hi,
>>
>> I'm in the starting phase upgrading Firefox so that it can provision
>> credentials in a way that that banks and governments require which
>> among many things include E2ES (End-to-End Security) and issuer-
>> specified PIN-codes (or just policies for user-defined dittos).
>>
>> The plan is mainly focusing on (enhanced) HW-tokens which NSS due
>> to its PKCS #11 heritage doesn't support with any of the above.
>>
>> However, for "soft tokens" where all is running in user-space, the
>> distinction between middleware and the container is mostly academic
>> so it could be an idea supporting the NSS softtoken. Unfortunately, I
>> know rather little about NSS so I wonder if the idea is feasible or not.
>>
>> Q1: Is is correct that you can only have a single PIN for all soft
>> tokens?
> You have a single pin per 'slot'. Any PKCS #11 module can implement
> multiple slots. You can even cause the NSS softoken to have multiple slots.
>
> I also think that there is a definition on how to do key specific pins
> in the later versions of PKCS #11. I think it involves using a special
> user type, with the key operation already selected in the current
> session. I'd have to go back and look, it might also just be I'm
> remembering the AUTHENTICATE_ALWAYS semantic.
>
key and, unfortunately, NSS currently does not support this.
>> Q2: Is it possible to add arbitrary data attributes to a key? I need
>> such
>> in order to support credential logotypes and information cards.
> If these general token types, I suggest getting them added to the PKCS
> #11 working group.
> PKCS #11 also allows vendor defined attributes and objects. We use these
> to supply NSS specific operations and objects, that aren't generally
> interesting to the PKCS #11 group as a whole. If the ideas are generally
> usable by a myriad of tokens, then trying to get them defined in the
> working group is best.
vendor-specific attributes such as the value of CKO_NETSCAPE_CRL for
CKA_CLASS attribute. You can implement such vendor-specific attribute as
well.
> There is also an already define generic 'data' object.
> If these objects aren't really attached to the key , then it's own
> object type would make more sense.
>
> bob
>
>> thanx,
>> Anders
>
M. Kurpel
Anders Rundgren
I don't know exactly how to interpret this...
Does the softoken support PINs or not? How do you set it from Firefox?
OTOH, it would be strange if it did since none of the "upstream" components
like <keygen> has any support for PIN provisioning.
Most serious users of "soft token" PKI due that distributes their own
provisioning and keystore SW and that won't change because I say it should.
It probably takes Apple or Google to get the priorities straight ;-)
anders
Matej Kurpel
From what I know, it does not. It only supports a token-wide PIN (or
Password). Try opening up your Security Devices manager in Firefox or
Thunderbird, select Software security device from the left pane and as
you can see, you can only change a password for the whole token. (I
don't really know if there is one or if it's taken into account... I
have never used the software security device explicitly). Maybe someone
another in this list could shed some light on this...
M. Kurpel
Nelson B Bolyard
> Hi,
>
> I'm in the starting phase upgrading Firefox so that it can provision
> credentials in a way that that banks and governments require which
> among many things include E2ES (End-to-End Security) and issuer-
> specified PIN-codes (or just policies for user-defined dittos).
>
> The plan is mainly focusing on (enhanced) HW-tokens which NSS due
> to its PKCS #11 heritage doesn't support with any of the above.
I know a vendor of a product that includes tokens, pkcs#11 modules for
Windows and Linux, and CA web site software, which product claims to have
end-to-end (CA to token) security and (IIRC) Issuer-specified or issuer
policy controlled PINs. IINM, it is claimed that all communication with
the token is done through the PKCS#11 module. That vendor has at least
one representative who participates occasionally here. Perhaps he can
speak to how that product accomplishes what it does, and/or correct my
misperceptions about the product, Bob.
--
/Nelson Bolyard
Robert Relyea
> Matej Kurpel wrote:
>> On 4. 1. 2011 22:23, Robert Relyea wrote:
>>>> Hi,
>>>>
>>>> I'm in the starting phase upgrading Firefox so that it can provision
>>>> credentials in a way that that banks and governments require which
>>>> among many things include E2ES (End-to-End Security) and issuer-
>>>> specified PIN-codes (or just policies for user-defined dittos).
>>>>
>>>> The plan is mainly focusing on (enhanced) HW-tokens which NSS due
>>>> to its PKCS #11 heritage doesn't support with any of the above.
>>>>
>>>> distinction between middleware and the container is mostly academic
>>>> so it could be an idea supporting the NSS softtoken. Unfortunately, I
>>>> know rather little about NSS so I wonder if the idea is feasible or
>>>> not.
>>>>
>>>> Q1: Is is correct that you can only have a single PIN for all soft
>>>> tokens?
>>> You have a single pin per 'slot'. Any PKCS #11 module can implement
>>> multiple slots. You can even cause the NSS softoken to have multiple
>>> slots.
>>>
>>> I also think that there is a definition on how to do key specific pins
>>> in the later versions of PKCS #11. I think it involves using a special
>>> user type, with the key operation already selected in the current
>>> session. I'd have to go back and look, it might also just be I'm
>>> remembering the AUTHENTICATE_ALWAYS semantic.
>>>
>> Yes, it's CKA_ALWAYS_AUTHENTICATE attribute set to TRUE for a private
>> key and, unfortunately, NSS currently does not support this.
couple of versions, but none have ever been checked in. I would love it
if someone who really cares (and has tokens which support this semantic
to drive getting this in.
I'm still not sure that CKA_ALWAYS_AUTHENTICATE means that there is a
separate pin for the key, however. I'd have to look it up in the spec.
>
> I don't know exactly how to interpret this...
> Does the softoken support PINs or not? How do you set it from Firefox?
You are asking lots in imprecise questions, so I'm not sure exactly what
you are asking here.
1. Softoken does support slot pins. You can set it from firefox by
setting the 'master password'. If you have multiple slots defined (which
equates to multiple key/cert databases), you can use the security
manager to set the pin.
2. Softoken does not support either CKA_ALWAYS_AUTHENTICATE, nor does
softoken currently support multiple pins. It does not mean it couldn't
in principle support these.
> OTOH, it would be strange if it did since none of the "upstream"
> components
> like <keygen> has any support for PIN provisioning.
Setting a pin on a specific key would probably also require NSS support.
The CKA_ALWAYS_AUTHENTICATE patch presumes an already provisioned key.
>
> Most serious users of "soft token" PKI due that distributes their own
> provisioning and keystore SW and that won't change because I say it
> should.
> It probably takes Apple or Google to get the priorities straight ;-)
Someone who cares, has the infrastructure to test it, and supplies
patches would also go a long way.;).
bob
>
> anders
Robert Relyea
> On 2011-01-03 13:04 PDT, Anders Rundgren wrote:
>> Hi,
>>
>> I'm in the starting phase upgrading Firefox so that it can provision
>> credentials in a way that that banks and governments require which
>> among many things include E2ES (End-to-End Security) and issuer-
>> specified PIN-codes (or just policies for user-defined dittos).
>>
>> The plan is mainly focusing on (enhanced) HW-tokens which NSS due
>> to its PKCS #11 heritage doesn't support with any of the above.
> Windows and Linux, and CA web site software, which product claims to have
> end-to-end (CA to token) security and (IIRC) Issuer-specified or issuer
> policy controlled PINs.
only exposes a single pin.
> IINM, it is claimed that all communication with
> the token is done through the PKCS#11 module.
platform secure channels to communicate to the card. The APDU's are
specific for the cards applet.
Anders Rundgren
<snip>
> Token provisioning is outside the PKCS #11 module. It uses global
> platform secure channels to communicate to the card. The APDU's are
> specific for the cards applet.
Yes, and this is why Firefox and other browsers are slightly incompatible
with the web from a client-side PKI perspective since none of the above
is likely to ever be supported from a browser down to crypto middleware
and token.
Therefore I maintain that a high(er)-level E2ES provisioning scheme like SKS
will eventually make PKI "a better password", not only for security reasons
but also from a usability perspective. SKS does not build on Global Platform
because GP is tied to a business model which IMHO makes GP less suited for
an Internet populated by a gazillion of users and providers.
You should be able to buy an "Internet token" at Wal-Mart that can be used
"as is" without awkward driver installation.
Such functionality might one day even be a part of NSS since SKS is
designed to be a "companion API" to PKCS #11 :-)
Anders
http://webpki.org/auth-token-4-the-cloud.html