Re: HW Sec Workshop - Citizen Identity from Tony Arcieri on 2016-04-21 (public-web-security@w3.org from April 2016)

From: Tony Arcieri <bascule@gmail.com>
Date: Thu, 21 Apr 2016 15:08:29 -0700
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CAHOTMV+J0JEWF-hRLOD_ZfcHAbZfXt3ZmJdhoG0BmKBsCdp3iw@mail.gmail.com>

I think you're correct: this scheme explicitly calls out PIV, and while
some sort of PKCS#11 bridge sounds like a great idea to PIV card
manufacturers, from my perspective (as someone sitting in the middle
between the PIV card manufacturers and the browsers) I do not think browser
vendors are interested in generally adopting a PKCS#11 bridge into
browsers. I agree with not exposing PKCS#11 into the browser:
authentication strategies for the web need to respect the Same-Origin
Policy, and PKCS#11 does not.

Without respecting SOP, users are asked to make decisions about the mapping
of origins to their hardware tokens, and any time you introduce user choice
into authentication you're making the user experience more hostile and
weakening security.

-- 
Tony Arcieri

Received on Thursday, 21 April 2016 22:09:16 UTC