Depends on the API. Keychain and CryptoAPI/CNG (at least, every major CSP/KSP) handle prompting at a layer below/out of the applications control. The only place where an app directly prompts is PKCS#11, and that's only when not using secure pin entry. So the vast majority of deployed APIs (as used by desktop browsers) absolutely have the limitations I highlighted. Further, the goal of most new APIs is to move pin entry out of the application realm (where, eg, malware can grab it) and into the trust zone (eh: unspoofable LocalSystem). So again, the proposal for PIN management doesn't reflect where the industry is at or headed.... On Apr 2, 2013 11:53 PM, "Anders Rundgren" <anders.rundgren@telia.com> wrote: > On 2013-04-02 21:40, Ryan Sleevi wrote: > > <snip> > > I also have a lot of > > hesitation with exposing more controls for applications to force > > interaction - as shown by things like window.alert, it's fairly easy > > to abuse. If anything, ISTM that "prompt to use this key" is something > > the user themselves should set > </snip> > > This contrasts with the following statement by another WG member (?): > > > http://lists.w3.org/Archives/Public/public-webcrypto-comments/2013Apr/0015.html > > Anders > >
Received on Wednesday, 3 April 2013 07:07:49 UTC