Re: [WebCrypto Key Discovery] Algorithm names in named keys from Nick Van den Bleeken on 2013-03-05 (public-webcrypto@w3.org from March 2013)

From: Nick Van den Bleeken <Nick.Van.den.Bleeken@inventivegroup.com>
Date: Tue, 5 Mar 2013 15:03:12 +0000
To: Anders Rundgren <anders@primekey.se>
CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <063B1497-6593-4835-B8B6-E91EF0FDB29D@inventivegroup.com>

Hi Anders,

Now it starts making sense, I found the ability to filter on a key name a bit limited. And would have expected more filter options like you can do in TLS-CCA, there you can specify the parent certificate of the key you're expecting. (this filter option is also a bit limited, but it is a start)

I'm also of the opinion that there are some things missing in TLS-CCA (e.g.: logout), that the UI in some browsers is a not user friendly, and that filter options are a bit limited. But personally I find for example the UI in chrome on Mac and in safari on iOS not that user unfriendly.

I also think that the recent security problems in java are making an API to access smart cards and USB security tokens even more urgent. Because relying on java to access the keys is no longer a good option today.

We are not the only ones with this use case, there are other websites that allow signing of documents (e.g.: [1]).

I don't think that there should be a usability, privacy and security problem per se. We sould define an API that makes a sensible implementation in the browser possible.

Therefore I hope that there will be interest in the WG to discuss these opportunities.

Kind regards,

Nick Van den Bleeken

1: http://sign.belgium.be/

On 05 Mar 2013, at 13:34, Anders Rundgren <anders@primekey.se> wrote:

> Hi Nick,
> I don't think the current Key Discovery scheme is applicable to your use-case:
>
>   http://lists.w3.org/Archives/Public/public-webcrypto/2013Mar/0063.html
>
> Why?  If arbitrary web-code could address the key-store it would be a nuisance from both a usability, privacy and security point-of-view.
> What kind of UI should be provided?   I doubt that anybody in the WG is prepared to even hint about that at this stage.
>
> TLS Client-Certificate-Authentication (CCA) differs because there's no API, just a high-level function: De-reference the URL https://host/path and it does exactly one thing - Authenticate.
> TLS-CCA also provides a key filtering method without giving the information to anybody but the user.
>
> Regards,
> Anders
>
>

________________________________

Inventive Designers' Email Disclaimer:
http://www.inventivedesigners.com/email-disclaimer

Received on Tuesday, 5 March 2013 15:03:44 UTC