Re: Will the WebCrypto API allow discovery/enumeration of certificates? from Ryan Sleevi on 2015-06-24 (public-webcrypto-comments@w3.org from June 2015)

From: Ryan Sleevi <sleevi@google.com>
Date: Wed, 24 Jun 2015 14:00:18 -0700
To: Jeffrey Walton <noloader@gmail.com>
Cc: WebCrypto Comments <public-webcrypto-comments@w3.org>
Message-ID: <CACvaWvZUBim2_ufWCg=owtQdCX6urOS+m1GsR0G5K-FWREYUYQ@mail.gmail.com>

On Wed, Jun 24, 2015 at 1:50 PM, Jeffrey Walton <noloader@gmail.com> wrote:

> I see the WebCrypto API will allow discovery of keys
> (http://www.w3.org/TR/WebCryptoAPI/):
>
>     In addition to operations such as signature generation
>     and verification, hashing and verification, and encryption
>     and decryption, the API provides interfaces for key
>     generation, key derivation, key import and export, and
>     key discovery.
>
> Certificates have public keys, and they are not as sensitive as private
> keys.
>
> Will the WebCrypto API allow discovery/enumeration of certificates?
>
> Examples of what I would like to discover or enumerate (in addition to
> the private keys):
>
>  * Trusted roots
>  * Client certs
>
> Trusted Roots are in the platform's trust store. Client certs may be
> in the trust store.
>
> Thanks in advance,
> Jeff
>
>
There are no plans from Chrome to implement such, on the hopefully obvious
and significant privacy grounds.

Client certs contain PII.
Trusted certs contain PII and fingerprinting.

In modern, sandboxed operating systems, such as iOS and Android,
applications cannot enumerate either, as those platform providers reached
the same conclusion.

So no. Never.[1]

[1] For some really long value of never

Received on Wednesday, 24 June 2015 21:01:08 UTC