W3C home > Mailing lists > Public > public-web-security@w3.org > November 2014

Re: [Web Crypto Next] Lets start discussing !

From: helpcrypto helpcrypto <helpcrypto@gmail.com>
Date: Thu, 6 Nov 2014 09:43:59 +0100
Message-ID: <CAHMQSguSuFdH83Oa9zRW1qxQrR20DcJGAHduVBs-=PxVTrayHg@mail.gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>, s2.verma@samsung.com, Virginie.Galindo@gemalto.com
Hi


Anders: as you seem to have the decisive voice in here, since our last
talk, what has changed?


As you know, I'm of the opinion that is better to keep smartcards as secure
elements where keys can be stored, than throwing all to the recycle bin.
In our case we have a JavaCard, so we could even stablish a mutual trust
channel between server and card for population process. Older cards are
probably a bigger problem ;)
It's true that PKI doesnt support "key usages for specific domains",
something FIDO does. Does anyone know a way to implement this using
traditional PKI?

Can you imagine/describe a secure/valid scenario where smartcards are one
possible secure keystore for a PKI cert, being possible to auth+sign
documents using Javascript? (do it with all the effort/strengh of your
imagination!!!)


Sanjeev: AFAIK, FIDO group is not open neither open to community
participation.
IIRC, there was a possibility of loading a FIDO applet inside my
Javacard+requesting a PIN to login, even a RAW/APDU spec.

As FIDO is not PKI based, will that mean I have to dump what I already
have? (millions of certs from different CAs used by millions of users to
auth and sign documents?

Actually we do this using an awful applet, and thats what we want to avoid.


Perfect is the enemy of good. Perhaps we should reach an agreement-solution.

PS: Virgine (): based on your experience, does people from the Webcrypto WG
have anything to say related to this? I know smartcards were out of scope.
were the different viewpoints the reason? do they 'like' the idea of
including smartcards on spec? Do manufacturer/providers/vendors/big actors
have something to say? is FIDO what they say?


Regards
Received on Thursday, 6 November 2014 08:44:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:22 UTC