Re: NSS - PKCS #11 Test Suites build problems (2013)

Hi Tiago, On Fri, Feb 15, 2013 at 11:34 AM, TIAGO ALVES wrote: > > I saw previous messages that reported build problems in the NSS - PKCS > #11 Test Suites. > > I would like to know if those issues have already been addressed? We never had the time to retrieve the source code of the missing tool

NSS - PKCS #11 Test Suites build problems (2013)

Dear Members, I saw previous messages that reported build problems in the NSS - PKCS #11 Test Suites. I would like to know if those issues have already been addressed? I am using a Win32 platform (msvc2008) and the mozilla-build environment. I managed to compile the latest nss+nspr release and a

Re: Web Crypto API(s) and what Mozilla wants / needs

>> ie: javascript invoke getKeyFromPKCS11("modulename") and "#1" is >> returned, but can be used. > > How do you envision that this access should be controlled? > Here imagine that you have dozens of keys, not just a single key in a smart > card. The same way as SSL client authentication: with a

Re: Web Crypto API(s) and what Mozilla wants / needs

On 2013-02-15 11:32, helpcrypto helpcrypto wrote: >> The problem with this approach is that you expose keys to arbitrary >> javascript >> code which is rather different to for example TLS-client-certificate >> authentication which only exposes a high-level mechanism as well as a >> [reasonably] se

Re: Web Crypto API(s) and what Mozilla wants / needs

> I think we all mean "key handles" instead of "plaintext key material" > but the problem is the same - keys get exposed "naked" and can be > (ab)used for whatever. I mean, apart from malicious sign operations, i dont see any risk on javascript "seeing" a key handle. Is there any? If the only ris

Re: Web Crypto API(s) and what Mozilla wants / needs

On Fri, Feb 15, 2013 at 12:32 PM, helpcrypto helpcrypto wrote: >> The problem with this approach is that you expose keys to arbitrary >> javascript >> code which is rather different to for example TLS-client-certificate >> authentication which only exposes a high-level mechanism as well as a >> [

Re: Web Crypto API(s) and what Mozilla wants / needs

> The problem with this approach is that you expose keys to arbitrary javascript > code which is rather different to for example TLS-client-certificate > authentication which only exposes a high-level mechanism as well as a > [reasonably] secure credential filtering scheme and user GUI. clear as w

Re: Web Crypto API(s) and what Mozilla wants / needs

On 2013-02-15 09:46, helpcrypto helpcrypto wrote: > IMHO, once we have a pkcs#11 interface to handle any smartcard, even > installed cert using NSS softoken, and maybe a wrapper to mscapi...the > only thing left is to use those certs stored "somewhere" with your > javascript API. The problem wi

Re: Web Crypto API(s) and what Mozilla wants / needs

>>> I do understand the frustration you must feel in trying to get browsers >> to work closely with your national ID/Cert system. There are many such >> systems, and trying to create an API that works with your specific >> requirements, hardware and regulations is very difficult. The WG notes >> th