[WebCryptoAPI] Behaviour "not supported algorithm" and "Authetication" from Martin Becker on 2013-07-26 (public-webcrypto-comments@w3.org from July 2013)

From: Martin Becker <Martin.Becker@ruhr-uni-bochum.de>
Date: 26 Jul 2013 13:15:52 +0200
To: public-webcrypto-comments@w3.org
Message-ID: <51F25A68.5050508@ruhr-uni-bochum.de>

Hi,

currently writing my Bachelor-Thesis, at Ruhr-University Bochum on Web 
Crypto API, I encountered 2 problems in the specification:

1.What's happened if an user agent doesn't support the Algorithm, 
requested by the web application, after the "InvalidAlgorithmError" was 
thrown?
In my opinion there are 2 possible solutions:

a.The user agent and web application can't communicate with each other

b.The web application tries another algorithm

In case of solution b a method to discover supported algorithms would be 
nice.

2.I tried to explain the "Multi-factor Authentication" by taking the 
example of the "ISO/IEC 9798-3 three-pass mutual authentication protocol".
At that I remarked that there is no way to check if a received nonce is 
the same as the nonce previously sent.The only way to check a nonce is
within java script whereby the nonce has to be stored inside java script 
variables which can be manipulated by the web application.
The same takes effect on Timestamps.
So i have no idea how to implement a secure authetication protocol based 
on Web Crypto.



Greetings
Martin Becker

Received on Sunday, 28 July 2013 20:06:56 UTC