- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Thu, 4 Jun 2009 22:38:31 +0200
redirected FYI :-) Eddy Nigg wrote: >> A guesstimate is that less than 1 out of 10 000 smart cards actually >> are provisioned with <keygen>. > Can you backup your statement with facts please? I wrote "guesstimate". However, if we exclude a limited number of security nerds (that mainly produce cards for themselves), and concentrate on REAL smart card deployments; you got about a million eID cards in Estonia, None of these were provisioned using <keygen>; they were presumably produced in some kind of card factory. For enterprises most of us know that Windows is the de-facto standard so even if they had actually used end-user provisioning, it would have been through Xenroll and CSPs rather than with <keygen> and PKCS #11. But why in the world would anybody bother with <keygen>, Xenroll, or generateCRMFRequest, for provisioning smart cards when: - you still have to do 80% of the gory stuff (formatting, PIN, PUK) in a Windows-only proprieterary card management application? - all bets are off regarding where keys actually were created? That is, <keygen> is left for "soft certificates" that by default are not even PIN-protected. In my vocabulary that spells "insignificant". Anders ----- Original Message ----- From: "Eddy Nigg" <eddy_nigg@startcom.org> Newsgroups: mozilla.dev.tech.crypto To: <dev-tech-crypto at lists.mozilla.org> Sent: Thursday, June 04, 2009 20:52 Subject: Re: Smart cards and the <keygen> element On 06/04/2009 09:40 PM, Anders Rundgren: > A guesstimate is that less than 1 out of 10 000 smart cards actually > are provisioned with <keygen>. Can you backup your statement with facts please? -- Regards
Received on Thursday, 4 June 2009 13:38:31 UTC