Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Replacement for generateCRMFrequest ()
13 views
Skip to first unread message
Anders Rundgren
Sep 1, 2008, 3:30:04 AM9/1/08
to dev-tec...@lists.mozilla.org
The following fragment of a coming XML-based
provisioning scheme shows a somewhat extended generateCRMFrequest () where a PIN can span from 1
to n keys. The example uses a shared
(synchronized) PIN for multiple keys which is useful when you deploy PKI
and OTP. In addition there is an issuer-specified PUK as well (the
encrypted value is in another section not shown for brevity).
Presumably you don't need to be an XML "guru" in order to digest the following
lines:
<CreateObject>
<PUKPolicy Format="numeric" Hidden="true" RetryLimit="3" ValueReference="Item.1">
<PINPolicy Format="numeric" Grouping="shared" MaxLength="8" MinLength="4" PatternRestrictions="three-in-a-row sequence" RetryLimit="3">
<KeyPair ID="Key.1" KeyUsage="universal">
<RSA KeySize="2048"/>
</KeyPair>
<KeyPair ID="Key.2" KeyUsage="piggybacked-symmetric-key">
<RSA KeySize="1024"/>
</KeyPair>
</PINPolicy>
</PUKPolicy>
</CreateObject>
<PUKPolicy Format="numeric" Hidden="true" RetryLimit="3" ValueReference="Item.1">
<PINPolicy Format="numeric" Grouping="shared" MaxLength="8" MinLength="4" PatternRestrictions="three-in-a-row sequence" RetryLimit="3">
<KeyPair ID="Key.1" KeyUsage="universal">
<RSA KeySize="2048"/>
</KeyPair>
<KeyPair ID="Key.2" KeyUsage="piggybacked-symmetric-key">
<RSA KeySize="1024"/>
</KeyPair>
</PINPolicy>
</PUKPolicy>
</CreateObject>
The only real snag with this scheme is that it
doesn't fit smart cards, but I anticipate that mobile phones will take their
role since the latter combine HW-based cryptography (already featured in
high-end Nokia phones) with powerful processors, displays, keyboards,
extensive connectivity options, and Gb storage capabilities. Yes, it
would of course work with an extended soft token provider as well!
Now to a problem regarding implementing this
FireFox: Recent versions of MSIE as well as Android's WebKit,
have an advantage compared to Mozilla since they in reality offer a richer
development platform due to the links to .NET and Java respectively. I
hope the Mozilla team some day consider adopting JSE or Mono as the
foundation for extensibility rather than adding missing pieces like XML
validation and security to the Mozilla core because the latter may turn out
to be a dead-end.
The current implementation plan is to add this
in parallel to Mozilla's security architecture in the same way as
some other Open Source groups have added support for Information Cards to
Firefox. Unfortunately it won't be able to
support TLS-client-cert-auth but there is a replacement for that as well
which is more in line with Information Cards; in fact the GUI is
identical.
In case you are interested in this work, just drop
me a line.
Anders Rundgren
WebPKI.org
0 new messages