comments on web crypto API: Lack of smart card support [2/6]

Our reading of the API suggests that it is not sufficient to handle 
smart cards. Smart cards are widely available security tokens (citizen 
IDs in several countries are such) that allow cryptographic operations 
with a private key that is not extractable. The private key is typically 
PIN protected.

In our view what is needed to support those keys:
* Generation:
The generateKey should allow the specification of a location (e.g., 
with a PKCS #11 URL [0]), and it should be able to return an identifier 
that can be used to access the object.

* Cloning:
The ability to clone a key on an SC should not be assumed.

* Importing:
A way to import a named key (e.g., using a PKCS #11 URL) should be 
allowed to access a smart card key.

* Exporting
Non-Extractable keys should not be expected to be exported, nor any 
private key parameters should be accessible.

Note that from a user interface perspective the user should be warned 
by the browser prior to allowing any access on its smart cards by a 


Received on Thursday, 23 May 2013 10:12:58 UTC