Re: VERY IMPORTANT but unclear from Ryan Sleevi on 2013-10-23 (public-webcrypto@w3.org from October 2013)

From: Ryan Sleevi <sleevi@google.com>
Date: Tue, 22 Oct 2013 19:17:23 -0700
To: "mountie.lee@gmail.com" <mountie@paygate.net>
Cc: Web Cryptography Working Group <public-webcrypto@w3.org>
Message-ID: <CACvaWvZCSGe51b1hiwO5BTwFOss57peDx6VkitpU8HSXMZPxUA@mail.gmail.com>

On Oct 22, 2013 6:23 PM, "Mountie Lee" <mountie@paygate.net> wrote:
>
> Hi.
> I think keystore is very important in crypto operations.
> but it is out-of-scope.
>
> how much secure the keystore?

This is covered in security considerations. Assume no special security on
the local machine - only from the web.

> will it have backward compatibility of windows CSP or NSS?

Up to implementors, but not defined using the base API. Would need a
separate spec. I would strongly hope the answer is 'No'.

> can we protect keystore with PIN protected?
>

No.

> many things are unclear.

They're clearly not supported or required.

>
> if the keystore is unsafe or not acceptable, many features in webcrypto
spec will be unusable.

Not really. It depends on use case. A vast number of use cases can be met
here without your requirements. And you can likely meet your requirements
once you architect for the API, rather than trying to match your legacy
native apps.

>
> can we touch the keystore security requirements?

No

> can we move some part of keystore to in-scope?

No

>
> regards
> mountie.
>
> --
> Mountie Lee
>
> PayGate
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net
>
> =======================================
> PayGate Inc.
> THE STANDARD FOR ONLINE PAYMENT
> for Korea, Japan, China, and the World

Received on Wednesday, 23 October 2013 02:17:51 UTC