On 2015-11-24 02:29, Tony Arcieri wrote:
> On Mon, Nov 23, 2015 at 2:28 PM, Erik Anderson <eanders@pobox.com <mailto:eanders@pobox.com>> wrote:
>
> PKCS#11 is the underlying mechanism that Government & Financial industries uses PIV cards as cryptographic identity.
>
>
> Speaking as someone who works in the "financial industry" who also attended the W3C's WebCrypto Next Steps workshop, PKCS#11 has a design which is hostile to usage in browsers, particularly around providing a meaningful user experience and easy-to-understand interaction flows for user consent.
Like shown in the upper part of this one-page document
http://webpki.org/papers/permissions.pdf
which I published after the workshop which I also attended.
>
> I personally consider "PKCS#11-in-browser" a fundamentally flawed idea.
Me too but the W3C folks apparently thinks differently:
https://w3c.github.io/websec/hasec-charter.html
> This can be used to safely assure transactions even in a compromised browser.
>
>
> Nothing can assure that, but hardware tokens can be used to minimize the risk of exposure.
>
> Particularly interesting in this area is U2F, which is already supported by most modern Yubikeys, and the new Token Binding extension to TLS:
>
> http://www.browserauth.net/
>
> U2F can be used in conjunction with Channel Bound Cookies to bind cookies to a hardware token:
>
> http://www.browserauth.net/channel-bound-cookies
>
> This should give you the benefits I believe you're describing in a way that's amenable to usage in web browsers. I don't think PKCS#11 will ever be capable of providing that.
>
> --
> Tony Arcieri