I do understand the frustration you must feel in trying to get browsers to work closely with your national ID/Cert system. There are many such systems, and trying to create an API that works with your specific requirements, hardware and regulations is very difficult. The WG notes this by placing such efforts in the WG's "secondary features". This is a shame, but it is also a bit of realism as getting caught up in multiple varying national schemes may have stunted progress on a more generic API, which I feel is a first priority.
I wish there was more homogeneity in these systems. -david ----- Original Message ----- From: "helpcrypto helpcrypto" <helpcry...@gmail.com> To: "mozilla's crypto code discussion list" <dev-tech-crypto@lists.mozilla.org> Cc: "Brian Smith" <bsm...@mozilla.com>, "Brendan Eich" <bren...@mozilla.com>, "Ben Adida" <benad...@mozilla.com>, "Eric Rescorla" <e...@mozilla.com>, "Brian Warner" <war...@mozilla.com>, "David Dahl" <dd...@mozilla.com> Sent: Thursday, February 14, 2013 2:29:11 AM Subject: Re: Web Crypto API(s) and what Mozilla wants / needs Hi David. First: Thank you (all) for your hard work on this. Second: Sorry for any mistake, typo or pocahontas speak. IMHO we NEED this, and Mozilla NEED it also. In our case, we are currently using a Java applet to make digital signature of documents in many formats (XMLDsig, XAdES, PAdES...) using client certificates (RSA X509) stored on NSS/smartcard/CSP. We are not using the Mozilla signText, cause its HORRIBLY user unfriendly (showing unreadable text doesnt truly accomplish contentCommitment), cant be used to sign "a bunch of documents", its different from MSCAPI...among other things. Of course, as your API only handles keys (and how to get them from an smartcard is out of scope), IMHO theres a HUGE gap between your API and the real world. There are, already, a lot of JS libraries to do cryptographic operations, but is the lack of PKCS#11/NSS support which make them useless. In recent versions of the draft, you have added "19. Key Discovery", and thats is, IMHO, the key of success. I think you are going in the correct, but if you dont work on "how to get the keys from the smartcard" or "how to sign 3 documents without requiring PIN 3 times (if smartcard allow it)" [I already suggested signInit-Add-Final methods based on PKCS#11 sign functions], we will still need Java Applets. And that sux. Just my 0.02 > What Mozilla really need is a new PKI client, the current is useless, > particularly for B2G (since PCs seem to be a lost case due to MSFT): Altought im not yet convinced that Anders proposal for a new PKI system its the final solution, probably because i lack needed skills, i TOTALLY agree with him: i dont like the way to request a certificate using Mozilla. Either genkey (where i cant control if they are generated on my smartcard or nss, or the keysize they have...unless messing with DOM :P) > Since you asked about Web Crypto, my question remains: how does > Web Crypto WG intend to deal with keys in NSS, CryptoAPI, "KeyChain"? Again, IMHO, theres should be a way to request "in which smartcard" you want to generate/use the key, using pkcs#11 module name, for example. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
