Re: Web Cryptography Working Group scoping progressing...

On 3 November 2011 19:20, Channy Yun <channy@gmail.com> wrote:
> Dear all. I want to comment something.
>
> in scope
>
> 1) How about adding API access to control of SSL/TLS login?
>
> 2) I think some of API interfaces for personal certificate management are
> needed such as import and export of keypair although most of browsers have
> own certificate manager.
>
> 3) Some of functions as like key pare generation and digital signature
> generation require browser's user interface. It needs universal interface
> guideline for security issues. Please add "guideline of universal user
> interface in browser" and . For examples,
> http://html5.creation.net/webcrypto-api/#login-with-the-user-certificate.
> This is related to indentity APIs like BrowerID. Also it may be included in
> recommendation-track deliverables similar with http://www.w3.org/TR/wsc-ui/

One of the reasons no-one uses browser-based auth, despite it existing
pretty much since browsers began, is because the UI is not under
control of the site, so it looks ugly, happens in the wrong place on
the screen and probably confused users.

I do agree that there needs to be UI, but it seems like a bad idea to
insist that it is in the browser: what is needed is a way for the site
to control the UI without compromising the security.

>
> out of scope
>
> a compatiblity between keystore in each browsers. Some applications can try
> a same keypare management in them.

I am not sure that this is wise, either. If you allow applications to
manage keys, then you open the door for attackers to "manage" the keys
into their keystore. So, some way of getting keys between browsers
without needing anything but the browser itself seems necessary.


>
> Channy
> ---------------------
> Mozilla Korea Community, http://www.mozilla.or.kr
> Technology Evangelist, Daum Developers Network & Affiliates
> http://dna.daum.net
>
>
>

Received on Friday, 4 November 2011 14:19:58 UTC