W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Smart Card support. Re: Request for feedback: DOMCrypt API proposal

From: Nico Williams <nico@cryptonector.com>
Date: Mon, 6 Jun 2011 20:58:48 -0500
Message-ID: <BANLkTi=KxOxDubtXfwmqSTd2cZwLOLy=WA@mail.gmail.com>
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: "Richard L. Barnes" <rbarnes@bbn.com>, David Dahl <ddahl@mozilla.com>, public-web-security@w3.org
On Mon, Jun 6, 2011 at 11:16 AM, Anders Rundgren
<anders.rundgren@telia.com> wrote:
> Although I'm not a DOMCrypt champion, I think this is where DOMCrypt
> shouldn't go.  PKCS #11 and Smart Cards are very complex and unsuitable
> for web programming.  The biggest smart card maker Gemalto launched a
> web-interface for smart cards a few years back called SCConnect.

PKCS#11 is difficult to use.  One thing we learned at Sun (later
Oracle) is that a simple raw crypto API is highly desirable, with
PKCS#11 relegated to using keys on tokens (smartcards).

That said, a smartcard interface is the most we could do in terms of
browser integration with JS crypto APIs, and even that is pretty lousy
-- the user can't possibly know what some script intends to do with
some key, nor can the browser figure it out either.  And yet, if we
don't even do that, then what do we expect a JS crypto API to do for
us, in terms of security?  A JS crypto API will NOT help us improve
security unless we also greatly improve server/script authentication.

Nico
--
Received on Tuesday, 7 June 2011 01:59:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC