[whatwg] Smart cards and the <keygen> element

redirected FYI :-)

Eddy Nigg wrote:
>> A guesstimate is that less than 1 out of 10 000 smart cards actually
>> are provisioned with <keygen>. 

> Can you backup your statement with facts please?

I wrote "guesstimate".  However, if we exclude a limited number
of security nerds (that mainly produce cards for themselves), and
concentrate on REAL smart card deployments; you got about a
million eID cards in Estonia,  None of these were provisioned using
<keygen>; they were presumably produced in some kind of card factory.

For enterprises most of us know that Windows is the de-facto standard
so even if they had actually used end-user provisioning, it would have been
through Xenroll and CSPs rather than with <keygen> and PKCS #11.

But why in the world would anybody bother with <keygen>, Xenroll,
or generateCRMFRequest, for provisioning smart cards when:

-  you still have to do 80% of the gory stuff (formatting, PIN, PUK)
   in a Windows-only proprieterary card management application?

- all bets are off regarding where keys actually were created?

That is, <keygen> is left for "soft certificates" that by default are not
even PIN-protected.   In my vocabulary that spells "insignificant".

Anders 


----- Original Message ----- 
From: "Eddy Nigg" <eddy_nigg@startcom.org>
Newsgroups: mozilla.dev.tech.crypto
To: <dev-tech-crypto at lists.mozilla.org>
Sent: Thursday, June 04, 2009 20:52
Subject: Re: Smart cards and the <keygen> element


On 06/04/2009 09:40 PM, Anders Rundgren:
> A guesstimate is that less than 1 out of 10 000 smart cards actually
> are provisioned with <keygen>. 

Can you backup your statement with facts please?


-- 
Regards

Received on Thursday, 4 June 2009 13:38:31 UTC