Re: HW Sec Workshop - Citizen Identity

On 2016-04-22 00:08, Tony Arcieri wrote:
> I think you're correct: this scheme explicitly calls out PIV, and while some sort of PKCS#11 bridge sounds like a great idea to PIV card manufacturers, from my perspective (as someone sitting in the middle between the PIV card manufacturers and the browsers) I do not think browser vendors are interested in generally adopting a PKCS#11 bridge into browsers. I agree with not exposing PKCS#11 into the browser: authentication strategies for the web need to respect the Same-Origin Policy, and PKCS#11 does not.
>
> Without respecting SOP, users are asked to make decisions about the mapping of origins to their hardware tokens, and any time you introduce user choice into authentication you're making the user experience more hostile and weakening security.

Thanx Tony,
This is of course true but there's a catch; Citizen identity solutions is about reusing/sharing the same identity with multiple domains.

What I was trying to say is that workshop addresses this topic by [apparently] asking for additions to Web browsers including some kind of signature facility which for the reasons you mention simply put won't happen.

IMO, Citizen identity solutions on the Web rather need a specific workshop where (among many things), the FIDO alliance and W3C should inform the market how they look at this issue since the TAG and WebAppSec people refer to FIDO as "the solution".

Personally I see three possibilities

  * Using FIDO with IdPs including server-based signature support
  * Bypass the restrictions imposed by the Web through Apps by using (not overly cool) OOB arrangements.  This concept is already widely deployed for multiple applications
  * Create a standardized extension mechanism loosely modeled after Chrome's native messaging system

Anders

>
> -- 
> Tony Arcieri