Re: Possible solution for same origin policy problem in Web Certificate API from Anders Rundgren on 2013-07-08 (public-webcrypto-comments@w3.org from July 2013)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Mon, 08 Jul 2013 21:08:07 +0200
To: Arun Ranganathan <arun@mozilla.com>
CC: Arun Ranganathan <aranganathan@mozilla.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <51DB0E17.9040103@telia.com>

On 2013-07-08 20:41, Arun Ranganathan wrote:
> Hi Anders,
Hi Arun,

> 
> Some words of clarification:
> 
> On Jul 8, 2013, at 2:36 PM, Anders Rundgren wrote:
> 
>> Hi Arun,
>> I read your response to Sangrae Cho regarding the use of BrowserID as the Korean solution:
>>
>> http://lists.w3.org/Archives/Public/public-webcrypto/2013Jul/0011.html
>>
>> There's nothing wrong with BrowserID but it is probably not compliant to banks' requirements since it does neither address PIN-codes nor secure storage.
>> IMO this is valid for the entire Web Crypto API scheme.
>>
> 
> 
> I wasn't proposing "BrowserID" as the solution!  Rather, what I was proposing was:
> 
> 1. The use of cross-origin messaging to allow cryptographic credentials such as certs to be used across origins and…
> 2. Re-imagining Sangrae Cho's problem statement in terms of SOP, with the possibliity of 1. above.
> 
> I merely used BrowserID as a "template" for the type of thing that can be done when cryptography meets cross-origin messaging.

I understand.  If you accept the limitations of Web Crypto with respect to common banking requirements this is just fine.


> 
> 
>> A related issue which has not been commented on is that the Web Crypto specification effectively "disintegrates" a platform with respect to key storage.
>> Immediately after (probably even before) Web Crypto passes through standardization, a frenzy of (all incompatible) schemes will emerge with the goal of restoring the platform again.
>>
> 
> 
> I'm not entirely sure I understand this point.

If you read the Web Certificate specification, you will note that it targets the "TLS key store" which I call the platform key-store.
The current Web Crypto specification doesn't do that unless you introduce some kind of kludge.

It has been shown that there's no need for a kludge; a mechanism can do the same and thus greatly expand the usability of Web Crypto,
The idea that a key+origin must come from a living URL in order to comply with SOP isn't incorrect; SOP can very well be emulated and provided through other means.

But as I said, this will be addressed outside of this WG too keep everybody happy :-)

Anders


> 
> -- A*
>

Received on Monday, 8 July 2013 19:08:40 UTC