- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Mon, 10 Sep 2012 12:55:46 +0200
- To: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Since Virginie asked for opinions on this issue I felt inclined providing one :-) General: I understand that Ryan et al do not want to encourage the use of inferior crypto. Neither do I but I would rather write something like "Not recommended for new designs". This particular algorithm is actually *widely deployed* and in a (NDA protected) context where the inferiority doesn't have much impact. Related: A system like WebCrypto makes it simple to design new cryptographically secured protocols. In my experience, it is quite easy designing bad protocols albeit using excellent cryptographic algorithms. A real-world example is BSI's EAC (Extended Authorization Control) used in passports: EAC presumes the use of an HSM which sounds very secure, right? EAC builds on frequent and automated certificate renewals where the *current* key is used to sign a renewal request containing the *new public key*. So far so good? Well, standard HSMs do not have the ability to attest that the *new* key-pair actually resides and was created in the HSM. So in spite of using state-of-the-art cryptographic algorithms, the *system* (IMO) is pretty broken. Regards, Anders
Received on Monday, 10 September 2012 10:56:30 UTC