- From: Tony Arcieri <bascule@gmail.com>
- Date: Tue, 24 Nov 2015 14:16:03 -0800
- To: Erik Anderson <eanders@pobox.com>
- Cc: Web Payments IG <public-webpayments-ig@w3.org>
- Message-ID: <CAHOTMVJENwBEZYnBp=VtGBEhg4raYh2Dtdne2hM4e90P-vgp4w@mail.gmail.com>
On Tue, Nov 24, 2015 at 1:19 PM, Erik Anderson <eanders@pobox.com> wrote: > Speaking as someone who works in the "financial industry" who also >>> attended the W3C's WebCrypto Next Steps workshop, PKCS#11 has a >>> design which is hostile to usage in browsers, particularly around >>> providing a meaningful user experience and easy-to-understand >>> interaction flows for user consent. >>> >> > Yubikey only exposes the PKCS#11 to the soft card module/PIV Applet, not > to the browser JavaScript. However, U2F's origin-bound certificates are exposed to the browser, because they are designed for use in a browser, and can be used to sign documents, credentials, or what have you with JavaScript (with cryptography performed on a hardware token and authenticated by whatever UI the hardware device provides). Public/Private keys isnt the right answer. You might want to take a look at > > 1) 2013 President Obama tells the world the US Government must stop > sabotaging public cryptography. NSA has been sabotaging the general public > cryptography for decades. > page 22 of > https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf > 2) August 2015 - NSA tells the world don't trust the security Bitcoin was > built on. ECC (Elliptical Curve Cryptography) is very susceptible to > quantum computing attacks. > - https://www.nsa.gov/ia/programs/suiteb_cryptography/ > - ECC vulnerabilities https://eprint.iacr.org/2015/1018.pdf (Pay > particular interest to this one) > > We need to move away from using public/private keys as the form of > identity. Its definitely not a credential that's bound to the individual. Your argument is "public key cryptography doesn't work"? #2 in particular is complete FUD. The NSA's actual recommendations were to move away from a 128-bit security level and had nothing specific to say about ECC that they didn't say about symmetric ciphers and hash functions. Koblitz published a paper around the same time talking about attacks on "verifiably random" elliptic curves such as the NIST curves and Brainpool, however he specifically calls out the process used for next generation elliptic curves by the IRTF's CFRG as being a way to solve attacks on weak curves (by explicitly selecting strong curves). Matt Green also had a blog post speculating the NSA may have broken ECDLP somehow, but it's little more than a guess on his part. Don't get me wrong, I love using symmetric cryptography as much as possible, but for problems like TLS token/channel binding public key cryptography is the only solution, because that's what TLS uses to authenticate principals in a key exchange. In the meantime until someone builds a large quantum computer or makes some mathematical breakthrough algorithms like RSA (using proper public exponents, padding, etc) and ECC (using modern elliptic curves like the CFRG curves) are fine and the only option for authenticating peers with TLS. The past problems with public key cryptography have been with things like cross-origin certificates and the <keygen> tag. These things were ill-specified and not well designed for the browser ecosystem, and therefore did not work well in a browser environment (just like PKCS#11). These problems are remedied by the origin-bound certificates supported by token binding as described on http://www.browserauth.net/ -- Tony Arcieri
Received on Tuesday, 24 November 2015 22:16:51 UTC