Re: Yubikey announces v4 with PKCS#11 smart card features from Tony Arcieri on 2015-11-24 (public-webpayments-ig@w3.org from November 2015)

From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 23 Nov 2015 17:29:08 -0800
To: Erik Anderson <eanders@pobox.com>
Cc: Web Payments IG <public-webpayments-ig@w3.org>, David Ezell <David_E3@verifone.com>
Message-ID: <CAHOTMVLou=n3VMKgaBeV84Vs0okiB1nEaGWD+3de2PbYgWRf-Q@mail.gmail.com>

On Mon, Nov 23, 2015 at 2:28 PM, Erik Anderson <eanders@pobox.com> wrote:

> PKCS#11 is the underlying mechanism that Government & Financial industries
> uses PIV cards as cryptographic identity.
>

Speaking as someone who works in the "financial industry" who also attended
the W3C's WebCrypto Next Steps workshop, PKCS#11 has a design which is
hostile to usage in browsers, particularly around providing a meaningful
user experience and easy-to-understand interaction flows for user consent.

I personally consider "PKCS#11-in-browser" a fundamentally flawed idea.

> This can be used to safely assure transactions even in a compromised
> browser.

Nothing can assure that, but hardware tokens can be used to minimize the
risk of exposure.

Particularly interesting in this area is U2F, which is already supported by
most modern Yubikeys, and the new Token Binding extension to TLS:

http://www.browserauth.net/

U2F can be used in conjunction with Channel Bound Cookies to bind cookies
to a hardware token:

http://www.browserauth.net/channel-bound-cookies

This should give you the benefits I believe you're describing in a way
that's amenable to usage in web browsers. I don't think PKCS#11 will ever
be capable of providing that.

-- 
Tony Arcieri

Received on Tuesday, 24 November 2015 01:29:55 UTC