W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Request for feedback: DOMCrypt API proposal

From: Richard L. Barnes <rbarnes@bbn.com>
Date: Mon, 6 Jun 2011 11:29:17 -0400
Cc: public-web-security@w3.org
Message-Id: <7B398C1D-1035-4449-BB01-94CDA612D706@bbn.com>
To: David Dahl <ddahl@mozilla.com>
I understand that DOMCrypt is for the web.  But the crypto stuff is going to be provided somehow, either from a library (e.g., OpenSSL), an OS API (e.g., the MS CryptoAPI), or a hardware device.  The latter sector has long standardized on PKCS11 as an interface.  The OpenDNSSEC crowd also have a software crypto library that offers a PKCS11 interface:
<http://trac.opendnssec.org/wiki/SoftHSM>
The idea would be to simplify exposing these existing crypto functions to the web.

More so than the specific API format, there are design patterns that PKCS11 encourages, e.g., the generation and keeping of keys within the crypto system, as opposed to feeding them in from outside (i.e., from the application).  I think this is what Stephen was referring to.

--Richard



On Jun 6, 2011, at 10:10 AM, David Dahl wrote:

> Richard:
> 
> This API is a pure web application API. I would like to study how we can extend this API for use with smart cards as there are a few use cases here as well. I would really like for someone with experience writing code for smart cards to help me figure this out.
> 
> Cheers,
> 
> David
> 
> ----- Original Message -----
> From: "Richard L. Barnes" <rbarnes@bbn.com>
> To: "David Dahl" <ddahl@mozilla.com>
> Cc: public-web-security@w3.org
> Sent: Sunday, June 5, 2011 8:45:34 PM
> Subject: Re: Request for feedback: DOMCrypt API proposal
> 
> I apologize if this question is obvious; I haven't had a chance to read the document yet.
> 
> Is there any notion of how this document relates to the PKCS11 standard for interfacing to crypto devices?  
> <http://en.wikipedia.org/wiki/PKCS11>
> 
> PKCS11 clearly has more things than the DOMCrypt API would require (e.g., the ability to select and log into different devices).   But it seems like it would simplify implementation for browsers if they could just present a script with something logically equivalent to a virtual PKCS11 device, probably one per origin.  Especially given that at least one browser (Firefox) can use PKCS11 to talk to hardware devices.
> 
> --Richard
> 
Received on Monday, 6 June 2011 15:30:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 June 2011 15:30:13 GMT