- From: Nikos Mavrogiannopoulos <nikos.mavrogiannopoulos@esat.kuleuven.be>
- Date: Thu, 23 May 2013 10:40:16 +0200
- To: <public-webcrypto-comments@w3.org>
- Cc: danny de cock <Danny.DeCock@esat.kuleuven.be>, Filipe Beato <filipe.beato@esat.kuleuven.be>
Our reading of the API suggests that it is not sufficient to handle smart cards. Smart cards are widely available security tokens (citizen IDs in several countries are such) that allow cryptographic operations with a private key that is not extractable. The private key is typically PIN protected. In our view what is needed to support those keys: * Generation: The generateKey should allow the specification of a location (e.g., with a PKCS #11 URL [0]), and it should be able to return an identifier that can be used to access the object. * Cloning: The ability to clone a key on an SC should not be assumed. * Importing: A way to import a named key (e.g., using a PKCS #11 URL) should be allowed to access a smart card key. * Exporting Non-Extractable keys should not be expected to be exported, nor any private key parameters should be accessible. Note that from a user interface perspective the user should be warned by the browser prior to allowing any access on its smart cards by a webapp. [0]. http://tools.ietf.org/html/draft-pechanec-pkcs11uri-09
Received on Thursday, 23 May 2013 10:12:58 UTC