- From: Martin Paljak <martin.paljak@ria.ee>
- Date: Mon, 25 Apr 2016 09:17:59 +0300
- To: <public-web-security@w3.org>
On 22/04/16 01:08, Tony Arcieri wrote: > I think you're correct: this scheme explicitly calls out PIV, and while > some sort of PKCS#11 bridge sounds like a great idea to PIV card > manufacturers, from my perspective (as someone sitting in the middle > between the PIV card manufacturers and the browsers) I do not think > browser vendors are interested in generally adopting a PKCS#11 bridge > into browsers. I agree with not exposing PKCS#11 into the browser: > authentication strategies for the web need to respect the Same-Origin > Policy, and PKCS#11 does not. > > Without respecting SOP, users are asked to make decisions about the > mapping of origins to their hardware tokens, and any time you introduce > user choice into authentication you're making the user experience more > hostile and weakening security. It amazes me that for some reason many people seem to equate "eID" (like PIV) and "PKCS#11". Browser vendors don't want it (for a good reason) and nobody sane enough is proposing to include something as generic and low level implementation specific as PKCS#11 *into the browser*. This has been discussed over and over again.
Received on Monday, 25 April 2016 06:18:30 UTC