Re: Feedback, comments and so about WG Web Cryptography API from helpcrypto helpcrypto on 2012-07-23 (public-webcrypto-comments@w3.org from July 2012)

From: helpcrypto helpcrypto <helpcrypto@gmail.com>
Date: Mon, 23 Jul 2012 09:07:56 +0200
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: public-webcrypto-comments@w3.org
Message-ID: <CAHMQSgsTgp9bX--2b_gw3xKjiiciELW8FPLOtrykC=RMWUKOAg@mail.gmail.com>

On Fri, Jul 20, 2012 at 11:19 AM, Anders Rundgren
<anders.rundgren@telia.com> wrote:
>
> I hope you don't mind some non-WG comments.

Of course not, even more coming from you!


> Generally the concept of batch and the web do not fit well but a signature scheme
> may allow upload of multiple documents to be signed in one step.  There is also
> the concept of PIN-caching which is an attribute of a key.  PIN-caching IMO, though
> requires that you are in the same session which fits your code example.

"a signature scheme may allow upload of multiple documents to be
signed in one step"
This is just what i was looking for. Will that finally be added to wg proposal?


>> Anyway, there must be a way -server side- to know which cert the user
>> used to sign, otherwise the signing could be valid, but not policy
>> compliant.
>
> This is indeed a clear omission in most signature schemes. I had this from
> the very start in my WASP proposal.

Will this be added too, daddy?


>> It could be nice to be able to select the smartcard/token from where
>> the keys are used:
>
> Key generation in smart cards is out of scope for the WG.  This is OK
> since there is no mechanism in NSS or PKCS #11 to actually say "hey,
> this key was created in a smart card" which is necessary and is already
> featured in other endeavors like Google's Wallet.

Until included in standard, we will continue trying to teach our users
to select the correct option on Firefox secutiry devices screen (that
appears qhen requesting a new key)
What about saying "i want the key generation to be made on a CWA14169
compliant device?" Maybe this must be added to PKCS#11 standard, as a
token/key attribute.


>> There can be many complex sign algorithms, like XAdES-XL or things
>> like that which could need a more complex API, providing timestamp
>> authorities or OCSP validation.
>> Also, it will be great to have PDF signatures which will lead to
>> library dependencies
>
> Yes, this is a *REQUIREMENT* and it has been voiced by me more than once.

Im actually enjoying XAdES format.


>> When generating a key, the strength should be customizable.
>> For legacy reasons, some smartcard cant handle 2048 certs, so we just
>> generate 1024 keypairs.
>> Considering that:
>>     genKeyPair(RSA, 1024)
>
> See comments on smart card key-gen.

Sorry, my lack of english doenst allow me to understand what are you
talking about.


> thanx,
> Anders
>
> PS Why are you so secret? Other people in this community are not DS

Thank you for your work. Why im supposed to be "secret"? What DS stands for?

Received on Monday, 23 July 2012 07:08:49 UTC