Re: Will the WebCrypto API allow discovery/enumeration of certificates? from Billy Simon Chaves on 2015-06-24 (public-webcrypto-comments@w3.org from June 2015)

From: Billy Simon Chaves <b.simon@hermes-soft.com>
Date: Wed, 24 Jun 2015 16:48:55 -0600
To: Ryan Sleevi <sleevi@google.com>
Cc: Jeffrey Walton <noloader@gmail.com>, WebCrypto Comments <public-webcrypto-comments@w3.org>
Message-Id: <0845868B-3F36-4C1D-BE08-6D6531FF1011@hermes-soft.com>

Hello Ryan,

It is not obvious to me the privacy or security reasons why a web application should not be able to enumerate trusted roots and client certificates in the user certificate store. The whole point of a digital certificate is that it is public. Can you elaborate on those reasons?

Regarding security and privacy to me it is more concerning that web crypto only works with private keys stored in the browser store, and doesn’t allow me to use private keys stored in secure devices, like physical tokens.

For instance my application needs to be able to sign documents and transactions, (something like web crypto scenario "2.4 document signing") using a private key associated to a certificate issued by my country’s official CA.  First my application needs to find in the user store for a certificate issued by my country’s CA, that has a matching private key, then ask the browser to generate a digital signature using that private key, the browser ask the user for permission to use the private key (in my case it has to ask for a PIN cause the private key is stored in a smart card), if the user accepts the browser ask the smart card to generate the digital signature.  In my case for security and privacy reasons all the crypto operations are done inside the smart card, the private key never leaves the smart card.

Thanks in advance,

Su aliado en la Web...

Ing Billy Simón Ch.

Gerente de Tecnología
Tel. 2234-9900 ext 102
www.hermes-soft.com <applewebdata://17ADD1F3-9078-4C48-A9A4-986EB94ACB8D/www.hermes-soft.com>

> On Jun 24, 2015, at 3:00 PM, Ryan Sleevi <sleevi@google.com> wrote:
> 
> 
> 
> On Wed, Jun 24, 2015 at 1:50 PM, Jeffrey Walton <noloader@gmail.com <mailto:noloader@gmail.com>> wrote:
> I see the WebCrypto API will allow discovery of keys
> (http://www.w3.org/TR/WebCryptoAPI/ <http://www.w3.org/TR/WebCryptoAPI/>):
> 
>     In addition to operations such as signature generation
>     and verification, hashing and verification, and encryption
>     and decryption, the API provides interfaces for key
>     generation, key derivation, key import and export, and
>     key discovery.
> 
> Certificates have public keys, and they are not as sensitive as private keys.
> 
> Will the WebCrypto API allow discovery/enumeration of certificates?
> 
> Examples of what I would like to discover or enumerate (in addition to
> the private keys):
> 
>  * Trusted roots
>  * Client certs
> 
> Trusted Roots are in the platform's trust store. Client certs may be
> in the trust store.
> 
> Thanks in advance,
> Jeff
> 
> 
> There are no plans from Chrome to implement such, on the hopefully obvious and significant privacy grounds.
> 
> Client certs contain PII.
> Trusted certs contain PII and fingerprinting.
> 
> In modern, sandboxed operating systems, such as iOS and Android, applications cannot enumerate either, as those platform providers reached the same conclusion.
> 
> So no. Never.[1]
> 
> [1] For some really long value of never

Attachments

text/html attachment: stored
image/gif attachment: image001.gif

Received on Thursday, 25 June 2015 07:00:27 UTC