Re: WebCrypto API Developers Feedback

On Thu, Mar 14, 2013 at 1:24 AM, Mountie Lee <mountie.lee@mw2.or.kr> wrote:
> On Thu, Mar 14, 2013 at 1:53 PM, Matthias Dugué <mdugue@clever-age.com>
> wrote:
>>
>> ...
>> Finally, the use case for certificate management is missing (as a simple
>> and attractive means to implement the user/application authentication).
>> We're very impatient to see the outcome of your efforts to bring us a robust
>> API to build crypto methods. But, as web applications developers, our first
>> emergency is a simple to use and robust API, to deal with
>> certificates/authentication, in order to prevent the security hole that is
>> currently the login/password couple.
>
> certificate management issue is one of secondary issues.
> I expect a draft version of certificate as a different document from current
> API spec will be suggested working group soon.
> My team is preparing the proposals and you can review and add your comment.
Be careful here. We know PKI with Internet profiles (PKIX) has
problems in practice.

In the big picture, a certificate or public key (with its
corresponding private key) is how we identify folks. Making
certificate and public key management a secondary goal may have the
unintended effect of leaving gaps in authentication.

>From my experience, I rejected a number of web or browser based
applications for use at numerous firms due to authentication gaps
(courtesy of PKIX and Public CAs) coupled with lack of client
capabilities. There is some hand waiving here, since the data
sensitivity level was also in play.

At lower data sensitivity levels, many firms would accept the risk.
Anything higher often resulted in rejection, even when executives
wanted it. At least 5 'BoardPad' applications were rejected. BoardPad
applications are the apps executives and board members want to use
with their tablets for board meetings.

Since you can't fix PKI, you have to improve client capabilities.

Jeff

Received on Thursday, 14 March 2013 19:49:20 UTC