[xmlsec] Use of smart-cards to perform cryptographic operations

Clizio Merli clizio at net4u.it
Mon May 16 09:37:30 PDT 2005

Aleksey Sanin wrote:

> Well, I don't think you are correct. NSS provides "best slot"
> functions exactly for this purpose. User selects which operations
> should be performed on which slot, you configure NSS that way and
> everything magicaly works. As far as I know, this is how Mozilla
> uses NSS (you might want to ask for more details in NSS mailing list).
> Aleksey
Sorry, probably you're right, but I believe there is a disguise.

The best slot paradigm adopted by NSS (as I can read from the source 
code - nss/lib/pk11wrap/pk11slot.c) is based on the slot selection bay 
In a digital signature application, as I conceive it (and probably I'm 
wrong, but don't know how) an end-user:
- first decides which slot/token to use (i.e. which smart-card to use, 
and a user may have more than one card mounted on the system at a given 
- then selects a certificate in that smart-card (and the associated 
private key),
- finally decides to sign with that certificate (i.e. with the 
associated private-key, but that is unnamed from his point of view).
So at the signing time the application knows everythig, and the signing 
layer should decide if the selected certificate/private-key is good for 
signing or not.

So in this scenario the "best-slot" is not the slot that best adapts to 
my needs, but the slot/token I (the end-user) selected before: if the 
selected slot/token is good for my purposes then the signature is 
performed, otherwise I expect that the signing layer returns an error of 
the type 'the selected slot/token is not good for performing the 
requested action'.

I already developed some signing applications (not for XML files), and 
had always adopted this schema.

This was the sense of my objection.

Kind regards


Clizio dr. Merli

C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
EUCIP Certified
Socio AIP (Associazione Informatici Professionisti)

More information about the xmlsec mailing list