On 2015-11-24 02:29, Tony Arcieri wrote: > On Mon, Nov 23, 2015 at 2:28 PM, Erik Anderson <eanders@pobox.com <mailto:eanders@pobox.com>> wrote: > > PKCS#11 is the underlying mechanism that Government & Financial industries uses PIV cards as cryptographic identity. > > > Speaking as someone who works in the "financial industry" who also attended the W3C's WebCrypto Next Steps workshop, PKCS#11 has a design which is hostile to usage in browsers, particularly around providing a meaningful user experience and easy-to-understand interaction flows for user consent. Like shown in the upper part of this one-page document http://webpki.org/papers/permissions.pdf which I published after the workshop which I also attended. > > I personally consider "PKCS#11-in-browser" a fundamentally flawed idea. Me too but the W3C folks apparently thinks differently: https://w3c.github.io/websec/hasec-charter.html > This can be used to safely assure transactions even in a compromised browser. > > > Nothing can assure that, but hardware tokens can be used to minimize the risk of exposure. > > Particularly interesting in this area is U2F, which is already supported by most modern Yubikeys, and the new Token Binding extension to TLS: > > http://www.browserauth.net/ > > U2F can be used in conjunction with Channel Bound Cookies to bind cookies to a hardware token: > > http://www.browserauth.net/channel-bound-cookies > > This should give you the benefits I believe you're describing in a way that's amenable to usage in web browsers. I don't think PKCS#11 will ever be capable of providing that. > > -- > Tony Arcieri
Received on Tuesday, 24 November 2015 04:02:02 UTC