Re: Technology Nexus Web Cryptography API use-cases from Anders Rundgren on 2012-07-04 (public-webcrypto-comments@w3.org from July 2012)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Wed, 04 Jul 2012 08:20:50 +0200
To: Samuel Erdtman <samuel.erdtman@nexussafe.com>
CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <4FF3E0C2.3020604@telia.com>
On 2012-07-04 07:49, Samuel Erdtman wrote:
> Hi Anders,
>
> Thanks for the comments, I´ll try to explain how I was thinking.
>
> I´m not aiming to build a complete replica of Nexus Personal, what I´m mainly looking for is a common way to access a crypto provider from the browser, and then register e.g. Nexus Personal as a crypto provider to give access to smart cards. This summarizes most of the use-cases that I sent in.

Hi Samuel,
You are not alone asking for this kind of functionality.   I'm personally hesitant to this due to my negative experiences with Microsoft's "CertEnroll" scheme.   The problem (as I see it...) is that cryptographic subsystems like CryptoAPI and PKCS #11 were never designed for access by arbitrary code download from the web.   As an analogy TLS-client-certificate-authentication does its entire job without exposing any API method to the web, only the URL is needed.  Due to this I have essentially lost interest in the Web Cryptography WG; as far as I can tell it won't address "our" applications :-(

>
> I think that Wan-Teh's signature write-up (http://lists.w3.org/Archives/Public/public-webcrypto/2012Jun/0007.html) is a subset of mine. Mine is just a more generalized description of the need for smart-card support, but with a more specific technical description.
>
> Further I wanted to put soma extra focus on signatures in the Web Crypto API which currently have very few use-cases on signing (http://www.w3.org/2012/webcrypto/wiki/Use_Cases).

I wonder if this WG really is properly geared for taking on a web-signature signature application.   It is MAJOR undertaking since you can end-up with anything from crypto.signText() to a 10 Mb+ application!  OTOH, few people are actually interested in this rather esoteric topic so it may pass easy :-)

>
> In the cases where PIN is not supported by the a SoftToken I would imagine the crypto provider either just blindly accepting the request signing it or provide the user with a dialog to accept signing operation.

Yes, however, on the market were we both operate (!), this is not an accepted behavior which is the reason why BankID have (together with NexusSafe I think...) developed specific soft token solutions, most recently Mobile BankID.

Regards,
Anders

>
> Cheers
>
> *Samuel Erdtman*  |  Developer
> *Nexus Group*  |  www.nexussafe.com <http://www.nexussafe.com/>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Anders Rundgren [anders.rundgren@telia.com]
> *Sent:* Monday, July 02, 2012 10:13
> *To:* public-webcrypto-comments@w3.org; Samuel Erdtman
> *Subject:* Re: Technology Nexus Web Cryptography API use-cases
>
> Hi Samuel,
> I think most the stuff you write about is out-of-scope for the WebCrypto WG.
>
> I don't think that you actually can build applications that mimic the Nexus "Personal" product based on /transient downloaded code/ running in a browser window.
>
> Wan-Teh's signature write-up is though an exception since it is really a complete application:
> http://lists.w3.org/Archives/Public/public-webcrypto/2012Jun/0037.html
>
> I have earlier developed a more advanced version of a Web Signature proposal:
> http://webpki.org/papers/wasp/wasp-tutorial.pdf
> http://code.google.com/p/openkeystore/source/browse/trunk/library/src/org/webpki/wasp/wasp-core.xsd
>
> I'm (nowadays) mainly interested in Certificate Enrollment since the schemes supported by the current platforms are (as I have been banging on peoples' heads about for/years/) essentially inadequate, /in addition to being all-over-the map/.  The PIN you are mentioning in your use-case is often not even supported by the underlying crypto system like the NSS "SoftToken".
>
> Best regards
> Anders Rundgren
> User of Nexus personal, Vendor to BankID, and PKI/Web Technologist.
>
Received on Wednesday, 4 July 2012 06:21:33 UTC