Re: root certs on smart cards

Justin Karneges wrote:
...
> Maybe an example scenario would make my question more clear:
>
> If you were browsing with Mozilla, had your smart card plugged in, and visited 
> a site with an unknown self-signed certificate, would it be sensible that if 
> you chose to accept the cert,

only if you know that you can trust it, hence unknown self-signed certs
are pretty useless to prove the others identity

> Mozilla would write it to the card instead of 
> to its own internal storage? 

afaik no, this would make not much such. You only put certs on the
card when you install keys (note: storing trusted certificates is
even a bit more complicated in general as only the card issuer normally
has the necessary permission to write such certs and not the user)

> And that future visits to the site would be 
> validated using the smart card?

no, cert verification is done by the ssl lib of the browser (this
task is far to complex for a smartcard), smartcard are only used
for client authentication (in the ssl context)

> This concept also hinges on the ability to mark a cert as trusted on the card.  

pkcs15 and other standards offer this possibility

> If there is no way to do this, then it wouldn't be possible to distinguish 
> trusted vs non-trusted certs.

Nils