- From: Nico Williams <nico@cryptonector.com>
- Date: Mon, 6 Jun 2011 20:58:48 -0500
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: "Richard L. Barnes" <rbarnes@bbn.com>, David Dahl <ddahl@mozilla.com>, public-web-security@w3.org
On Mon, Jun 6, 2011 at 11:16 AM, Anders Rundgren <anders.rundgren@telia.com> wrote: > Although I'm not a DOMCrypt champion, I think this is where DOMCrypt > shouldn't go. PKCS #11 and Smart Cards are very complex and unsuitable > for web programming. The biggest smart card maker Gemalto launched a > web-interface for smart cards a few years back called SCConnect. PKCS#11 is difficult to use. One thing we learned at Sun (later Oracle) is that a simple raw crypto API is highly desirable, with PKCS#11 relegated to using keys on tokens (smartcards). That said, a smartcard interface is the most we could do in terms of browser integration with JS crypto APIs, and even that is pretty lousy -- the user can't possibly know what some script intends to do with some key, nor can the browser figure it out either. And yet, if we don't even do that, then what do we expect a JS crypto API to do for us, in terms of security? A JS crypto API will NOT help us improve security unless we also greatly improve server/script authentication. Nico --
Received on Tuesday, 7 June 2011 01:59:14 UTC