[xmlsec] Use of smart-cards to perform cryptographic operations

Clizio Merli clizio at net4u.it
Mon May 16 09:37:30 PDT 2005 

Aleksey Sanin wrote:

> Well, I don't think you are correct. NSS provides "best slot"
> functions exactly for this purpose. User selects which operations
> should be performed on which slot, you configure NSS that way and
> everything magicaly works. As far as I know, this is how Mozilla
> uses NSS (you might want to ask for more details in NSS mailing list).
>
> Aleksey
>
Sorry, probably you're right, but I believe there is a disguise.

The best slot paradigm adopted by NSS (as I can read from the source 
code - nss/lib/pk11wrap/pk11slot.c) is based on the slot selection bay 
'mechanism-type'.
In a digital signature application, as I conceive it (and probably I'm 
wrong, but don't know how) an end-user:
- first decides which slot/token to use (i.e. which smart-card to use, 
and a user may have more than one card mounted on the system at a given 
time),
- then selects a certificate in that smart-card (and the associated 
private key),
- finally decides to sign with that certificate (i.e. with the 
associated private-key, but that is unnamed from his point of view).
So at the signing time the application knows everythig, and the signing 
layer should decide if the selected certificate/private-key is good for 
signing or not.

So in this scenario the "best-slot" is not the slot that best adapts to 
my needs, but the slot/token I (the end-user) selected before: if the 
selected slot/token is good for my purposes then the signature is 
performed, otherwise I expect that the signing layer returns an error of 
the type 'the selected slot/token is not good for performing the 
requested action'.

I already developed some signing applications (not for XML files), and 
had always adopted this schema.

This was the sense of my objection.

Kind regards

Clizio

-- 
----------------------------
Clizio dr. Merli

C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
EUCIP Certified
Socio AIP (Associazione Informatici Professionisti)
----------------------------

More information about the xmlsec mailing list