Re: P2P Payments

On 12/05/2014 11:19 AM, Dave Longley wrote:
> On 12/05/2014 11:07 AM, Manu Sporny wrote:
>> On 12/05/2014 09:48 AM, Melvin Carvalho wrote:
>>> Are you saying that all key material is governed by same origin 
>>> policy?
>> 
>>> So what's the difference between this and just using
>>> localStorage?
>> There is effectively no difference.
> 
> Depends on the meaning of "effectively". There is a slight difference
> -- my understanding is that with WebCrypto the server has no access
> to the key material itself, which means it can't take the key offline
> and do whatever it wants with it. Rather, it needs you to visit the
> server (hit the site in your browser) ... and then it can do whatever
> it wants with it. So there is a subtle difference there that brings
> slightly more security, but probably not the degree of security some
> may expect.

+1, what Dave said.

By "effectively" I meant that the server controls when your private key
is used to digitally sign some piece of information (and it can do this
at any point that you're on that website and with any piece of data it
wants you to sign).

What Anders is pushing for is a device (like FIDO's U2F devices only w/o
the Same Origin Policy (SOP)) that you can use on any website to
digitally sign something (after typing in a PIN on the device to
complete the signature). Typically, Secure Elements have been used for
this sort of activity. WebCrypto has no support for this right now,
although they're trying to figure out a way to make this happen at W3C.
Virginie Galindo, the chair of the WebCrypto group and Gemalto employee
(they make/sell Secure Elements), just presented to the Web
Payments IG User Payment Agent Task Force about this an hour ago.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: High-Stakes Credentials and Web Login
http://manu.sporny.org/2014/identity-credentials/

Received on Friday, 5 December 2014 16:38:25 UTC