Re: keygen and client-certificates document available from Martin Thomson on 2015-12-05 (www-tag@w3.org from December 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sat, 5 Dec 2015 21:00:50 +1100
To: Graham Leggett <minfrin@sharp.fm>
Cc: Travis Leithead <travis.leithead@microsoft.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <CABkgnnWPNxT4Rz7V+QK_Xf1TpAH3Tkih4Y4fGzdoW3aOUHmnYA@mail.gmail.com>

On 4 December 2015 at 22:20, Graham Leggett <minfrin@sharp.fm> wrote:
>> [...]  Either way, I don't think that
>> there is any question you could sensibly ask a user that would
>> convince me that the answer you got constituted informed consent.
>
> “This website wants to use your location, do you allow this?”
> “This website wants to use your camera, do you allow this?”
> “This website wants you to create a new identity, do you allow this?”

One of these things is not like the other ones...  What is a new
identity?  You make it sound like I'm going into the witness
protection programme.

>> On a less serious note, I think that the characterization of CryptoKey
>> is inaccurate.  An asymmetric Crypto-Key with an unexportable private
>> key might be usable for authentication, though other forms are
>> definitely unsuitable.  The opt-in protection isn't therefore a
>> non-issue.
>
> The opt-in protection breaks keygen completely.
>
> Think of a man-in-the-middle between a browser and a CA. The man-in-the-middle sends poisoned javascript that tells the browser to create a key with no protection, and then allows that key signing request to be forwarded to the CA. The CA issues a certificate against this request in good faith believing the key is secure, when it is not.

Unfortunately, WebCrypto already permits this kind of "attack" (i.e.,
getting a certificate for a key you "control").  However, opt-in
protection have to prevent the installation of a certificate for keys
that didn't have protections.  I think that means that keys would have
to have no usages (and perhaps a new one, but I suspect that would
draw the ire of Mr. Sleevi).

> There is no way that code that is obtained from a server can be trusted to operate in the interests of the client. The server can _initiate_ a request for the client to do something, but the mechanics of doing this has to be built into the client.

I'm not sure where you are headed with this one.

>> I also believe that it is possible to generate keys in
>> secure storage with the WebCrypto API (Firefox might already if there
>> is a suitable device, but I'm not sure).
>
> It is not possible, no, and requests to make it possible have fallen on deaf ears.

Have you tested this?  I don't have a PKCS#11 device handy, but I do
believe that NSS uses them when they are available.  I can probably
find out, I guess.

Received on Saturday, 5 December 2015 10:01:19 UTC