[whatwg] Smart cards and the <keygen> element
anders.rundgren at telia.com
Thu Jun 4 13:38:31 PDT 2009
redirected FYI :-)
Eddy Nigg wrote:
>> A guesstimate is that less than 1 out of 10 000 smart cards actually
>> are provisioned with <keygen>.
> Can you backup your statement with facts please?
I wrote "guesstimate". However, if we exclude a limited number
of security nerds (that mainly produce cards for themselves), and
concentrate on REAL smart card deployments; you got about a
million eID cards in Estonia, None of these were provisioned using
<keygen>; they were presumably produced in some kind of card factory.
For enterprises most of us know that Windows is the de-facto standard
so even if they had actually used end-user provisioning, it would have been
through Xenroll and CSPs rather than with <keygen> and PKCS #11.
But why in the world would anybody bother with <keygen>, Xenroll,
or generateCRMFRequest, for provisioning smart cards when:
- you still have to do 80% of the gory stuff (formatting, PIN, PUK)
in a Windows-only proprieterary card management application?
- all bets are off regarding where keys actually were created?
That is, <keygen> is left for "soft certificates" that by default are not
even PIN-protected. In my vocabulary that spells "insignificant".
----- Original Message -----
From: "Eddy Nigg" <eddy_nigg at startcom.org>
To: <dev-tech-crypto at lists.mozilla.org>
Sent: Thursday, June 04, 2009 20:52
Subject: Re: Smart cards and the <keygen> element
On 06/04/2009 09:40 PM, Anders Rundgren:
> A guesstimate is that less than 1 out of 10 000 smart cards actually
> are provisioned with <keygen>.
Can you backup your statement with facts please?
More information about the whatwg