Re: smartcard or Pkcs11 support? from Ryan Sleevi on 2015-01-07 (public-webcrypto-comments@w3.org from January 2015)

From: Ryan Sleevi <sleevi@google.com>
Date: Tue, 6 Jan 2015 20:14:48 -0800
To: Billy Simon Chaves <b.simon@hermes-soft.com>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CACvaWvbM7e-5RM+-dRB-CWrpbA_t7b+6JT4Dp9s8c3y11b6kng@mail.gmail.com>

On Tue, Jan 6, 2015 at 3:48 PM, Billy Simon Chaves <b.simon@hermes-soft.com>
wrote:

> Hello over there,
>
> Several questions:
>
> - Are you planning to add support for crypto modules, such as smart cards
> or usb tokens some time in the future?
>

As an implementor, no.
As a member of the WG, we'd be fairly opposed to efforts to recharter as
such (as noted in the TPAC minutes -
http://www.w3.org/2014/10/30-crypto-minutes.html#item04 )


> - What about support for pkcs11 modules, x509 certificates, and PKI in
> general?
>

Modules: Definitely not
X509 certificates and PKI - there is no need for WebCrypto to handle this
in particular; see PKI.js


> - What about time stamping support required for advanced digital signature
> standards?
>

Already implementable in JS. Nothing is needed of WebCrypto. See pki.js as
an example of this.


>
> In Costa Rica, and I think it is the case in several other countries, it
> is mandatory to use smart cards to store the private keys used to sign
> transactions and documents that are legally bounding.  In Costa Rica we
> have several government approved CAs which issue X509 certificates to Costa
> Rica's citizens. Private keys are generated and stored inside smart cards
> that comply with FIPS 140-2 level 3 and citizen certificates must be signed
> by a Government approved CA.  Government web applications that requiere
> digital signature typically use proprietary java applets or np-api plugins
> in order to interact with the smart card, sometimes using Windows
> CryptoApi, and some times using a Pkcs11 module.
>
> In the other hand Chrome will phase out support for java applets and npapi
> very soon, so many government web apps will stop working with Chrome.
> Googles advice for replacing plugins that deal with security is to use Web
> Crypto Standard, but in the scenario I just described the standard is not
> there yet.
>

That's not entirely accurate. What you're looking for is
http://blog.chromium.org/2013/10/connecting-chrome-apps-and-extensions.html


>
> Also in Costa Rica and in other countries it is required to use advanced
> digital signature standards such as CADES, XADES, which require time
> stamping the digital signature.  The timestamp must be obtained from and
> generated by a government approved time stamping authority.
>
> By the way I felt really disappointed when I read your Web Crypto use
> case, 3.1 banking transactions,  you said “The Gangnam Bank web site then
> generates a public key/private key pair and stores the key pair in
> client-side storage, along with a one-time key escrow by the bank”.  The
> person who wrote this decided to ignore 30 years of PKI developement. I
> suggest him to consider all of the RFCs that address how public key
> infrastructure should work in the Internet.
>
>
The person who wrote this is quite familiar with how PKI works (and should)
on the Internet. This was an explicit choice to document what would work,
with the omission of what's requested here a statement about what would not.

That said, most of the use cases are fairly bunk in practice and more
hand-wavy than practical.

Received on Wednesday, 7 January 2015 04:15:15 UTC