On 2013-02-15 09:46, helpcrypto helpcrypto wrote: <snip>
> IMHO, once we have a pkcs#11 interface to handle any smartcard, even > installed cert using NSS softoken, and maybe a wrapper to mscapi...the > only thing left is to use those certs stored "somewhere" with your > javascript API. The problem with this approach is that you expose keys to arbitrary javascript code which is rather different to for example TLS-client-certificate authentication which only exposes a high-level mechanism as well as a [reasonably] secure credential filtering scheme and user GUI. I.e. we need something similar to your current signed java applets in order to enable web-based javacript access to keys in NSS et al. I have proposed using the model used in Google Wallet which is signed code with a twist: It is not the platform (or you) that trusts the code, it is the security resource. Traditional signed code is IMO rather lame since anybody can buy a valid code-sign certificate. I.e. a code signature from someone you never heard about is doesn't add much to the table. Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
