Re: A somewhat lame Web Crypto PIN provisioning solution from Anders Rundgren on 2013-04-03 (public-webcrypto-comments@w3.org from April 2013)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Wed, 03 Apr 2013 10:17:11 +0200
To: Ryan Sleevi <sleevi@google.com>
CC: public-webcrypto-comments@w3.org, Nick Van den Bleeken <Nick.Van.den.Bleeken@inventivegroup.com>
Message-ID: <515BE587.6030109@telia.com>

On 2013-04-03 09:07, Ryan Sleevi wrote:
> Depends on the API.
> 
> Keychain and CryptoAPI/CNG (at least, every major CSP/KSP) handle prompting at a layer below/out of the applications control.

Ok, I think this was a misunderstanding but when you said that you had hesitation about
"applications to force interaction" I thought that included keys that would indirectly
exhibit the same behavior (due to earlier set PIN protection) which also would be valid
for the Belgian eID and similar.  In the latter it is never the user who assigns a
PIN-policy; it is an issuer exclusive.

> The only place where an app directly prompts is PKCS#11, and that's only when not using secure pin entry.
> 
> So the vast majority of deployed APIs (as used by desktop browsers) absolutely have the limitations I highlighted.
> 
> Further, the goal of most new APIs is to move pin entry out of the application realm (where, eg, malware can grab it) and into the trust zone (eh: unspoofable LocalSystem).
> 
> So again, the proposal for PIN management doesn't reflect where the industry is at or headed....

It is just a simple way adding PIN-protection to keys in the waiting for the industry-solution.

In addition, nothing prevents the implementer moving the PIN entry (with the notable exception
of its initiation) to protected/trusted zones and GUI.  The same goes for the actual keys.

Anders

> On Apr 2, 2013 11:53 PM, "Anders Rundgren" <anders.rundgren@telia.com <mailto:anders.rundgren@telia.com>> wrote:
> 
>     On 2013-04-02 21:40, Ryan Sleevi wrote:
> 
>     <snip>
>     > I also have a lot of
>     > hesitation with exposing more controls for applications to force
>     > interaction - as shown by things like window.alert, it's fairly easy
>     > to abuse. If anything, ISTM that "prompt to use this key" is something
>     > the user themselves should set
>     </snip>
> 
>     This contrasts with the following statement by another WG member (?):
> 
>     http://lists.w3.org/Archives/Public/public-webcrypto-comments/2013Apr/0015.html
> 
>     Anders
>

Received on Wednesday, 3 April 2013 08:17:54 UTC