- From: Ryan Sleevi <sleevi@google.com>
- Date: Sun, 28 Jul 2013 15:00:22 -0700
- To: Martin Becker <Martin.Becker@ruhr-uni-bochum.de>
- Cc: public-webcrypto-comments@w3.org
- Message-ID: <CACvaWvbD8r6=ZV_uOyDRkafY+PFGc9OCb1QQ6gPvq-Zp9KEndA@mail.gmail.com>
On Jul 28, 2013 1:07 PM, "Martin Becker" <Martin.Becker@ruhr-uni-bochum.de> wrote: > > Hi, > > currently writing my Bachelor-Thesis, at Ruhr-University Bochum on Web Crypto API, I encountered 2 problems in the specification: > > 1. What’s happened if an user agent doesn’t support the Algorithm, requested by the web application, after the “InvalidAlgorithmError” was thrown? > In my opinion there are 2 possible solutions: > > a. The user agent and web application can’t communicate with each other > > b. The web application tries another algorithm > > In case of solution b a method to discover supported algorithms would be nice. You can see the mail archives for why such discoverability is intentionally not implemented or specified. Attempting to use the desired algorithm - with the desired params - is the only defined discovery mechanism. > > 2. I tried to explain the “Multi-factor Authentication” by taking the example of the “ISO/IEC 9798-3 three-pass mutual authentication protocol”. > At that I remarked that there is no way to check if a received nonce is the same as the nonce previously sent. The only way to check a nonce is > within java script whereby the nonce has to be stored inside java script variables which can be manipulated by the web application. > The same takes effect on Timestamps. > So i have no idea how to implement a secure authetication protocol based on Web Crypto. > Web Crypto does not and should not provide a means for trusting arbitrary JS. Either you trust the JS or you don't. If you don't trust the web application, there can be no security - web crypto or not. > > > Greetings > Martin Becker > > >
Received on Sunday, 28 July 2013 22:00:52 UTC