[xmlsec] Use of smart-cards to perform cryptographic operations
clizio at net4u.it
Mon May 16 09:37:30 PDT 2005
Aleksey Sanin wrote:
> Well, I don't think you are correct. NSS provides "best slot"
> functions exactly for this purpose. User selects which operations
> should be performed on which slot, you configure NSS that way and
> everything magicaly works. As far as I know, this is how Mozilla
> uses NSS (you might want to ask for more details in NSS mailing list).
Sorry, probably you're right, but I believe there is a disguise.
The best slot paradigm adopted by NSS (as I can read from the source
code - nss/lib/pk11wrap/pk11slot.c) is based on the slot selection bay
In a digital signature application, as I conceive it (and probably I'm
wrong, but don't know how) an end-user:
- first decides which slot/token to use (i.e. which smart-card to use,
and a user may have more than one card mounted on the system at a given
- then selects a certificate in that smart-card (and the associated
- finally decides to sign with that certificate (i.e. with the
associated private-key, but that is unnamed from his point of view).
So at the signing time the application knows everythig, and the signing
layer should decide if the selected certificate/private-key is good for
signing or not.
So in this scenario the "best-slot" is not the slot that best adapts to
my needs, but the slot/token I (the end-user) selected before: if the
selected slot/token is good for my purposes then the signature is
performed, otherwise I expect that the signing layer returns an error of
the type 'the selected slot/token is not good for performing the
I already developed some signing applications (not for XML files), and
had always adopted this schema.
This was the sense of my objection.
Clizio dr. Merli
C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
Socio AIP (Associazione Informatici Professionisti)
More information about the xmlsec