343717 - allow to use qualified certificates through pkcs11 "security device" - qc statement

Status: RESOLVED WONTFIX

(Core :: Security: PSM, defect)

Description

[Ralf Hauser]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

Several countries (e.g. .hu as per bug 277797) are in the process of issuing legally binding certificates - so also Switzerland.

It appears that for example the siemens smart cards are popular for this purpose.
The good news is that with the pkcs11 "security device" manager, the siecap11.dll works and it is possible to login into the device.

Unfortunately, when trying to sign, the signing key plus certificate are not visible. It appears that because the PSM doesn't know the qcstatement oid (as per Bug 277797 comment 2), it simply is ignored in a similar way to Bug 331336.

Reproducible: Always

Actual Results:  
cannot sign in a "qualified way" in Thunderbird

Expected Results:  
can sign qualified

It would be good to be able to sign with such high quality certificates even before these signature validate in the PSM!

Comment 1

[Ralf Hauser]

Attachment: qual_cert.jpg

what you see when the device is up

Comment 2

[Ralf Hauser]

see also openssl issue tracker item https://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1360 on the same topic

Comment 3

[Kai Engert [:KaiE:]]

Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody

Comment 4

[Dana Keeler (she/her) (use needinfo) [:keeler]]

We won't be implementing support for this at this time.