Re: Web Crypto API(s) and what Mozilla wants / needs

I do understand the frustration you must feel in trying to get browsers to work closely with your national ID/Cert system. There are many such systems, and trying to create an API that works with your specific requirements, hardware and regulations is very difficult. The WG notes this by

Re: Web Crypto API(s) and what Mozilla wants / needs

On 2013-02-15 09:46, helpcrypto helpcrypto wrote: snip IMHO, once we have a pkcs#11 interface to handle any smartcard, even installed cert using NSS softoken, and maybe a wrapper to mscapi...the only thing left is to use those certs stored somewhere with your javascript API. The problem

Re: Web Crypto API(s) and what Mozilla wants / needs

The problem with this approach is that you expose keys to arbitrary javascript code which is rather different to for example TLS-client-certificate authentication which only exposes a high-level mechanism as well as a [reasonably] secure credential filtering scheme and user GUI. clear as

Re: Web Crypto API(s) and what Mozilla wants / needs

On Fri, Feb 15, 2013 at 12:32 PM, helpcrypto helpcrypto helpcry...@gmail.com wrote: The problem with this approach is that you expose keys to arbitrary javascript code which is rather different to for example TLS-client-certificate authentication which only exposes a high-level mechanism as

Re: Web Crypto API(s) and what Mozilla wants / needs

I think we all mean key handles instead of plaintext key material but the problem is the same - keys get exposed naked and can be (ab)used for whatever. I mean, apart from malicious sign operations, i dont see any risk on javascript seeing a key handle. Is there any? If the only risk are

Re: Web Crypto API(s) and what Mozilla wants / needs

On 2013-02-15 11:32, helpcrypto helpcrypto wrote: The problem with this approach is that you expose keys to arbitrary javascript code which is rather different to for example TLS-client-certificate authentication which only exposes a high-level mechanism as well as a [reasonably] secure

Re: Web Crypto API(s) and what Mozilla wants / needs

ie: javascript invoke getKeyFromPKCS11(modulename) and #1 is returned, but can be used. How do you envision that this access should be controlled? Here imagine that you have dozens of keys, not just a single key in a smart card. The same way as SSL client authentication: with a dialog

NSS - PKCS #11 Test Suites build problems (2013)

Dear Members, I saw previous messages that reported build problems in the NSS - PKCS #11 Test Suites. I would like to know if those issues have already been addressed? I am using a Win32 platform (msvc2008) and the mozilla-build environment. I managed to compile the latest nss+nspr release and

Re: NSS - PKCS #11 Test Suites build problems (2013)

Hi Tiago, On Fri, Feb 15, 2013 at 11:34 AM, TIAGO ALVES alvesfons...@ibest.com.br wrote: I saw previous messages that reported build problems in the NSS - PKCS #11 Test Suites. I would like to know if those issues have already been addressed? We never had the time to retrieve the source