> The problem with this approach is that you expose keys to arbitrary javascript
> code which is rather different to for example TLS-client-certificate
> authentication which only exposes a high-level mechanism as well as a
> [reasonably] secure credential filtering scheme and user GUI.
clear as water.
Shouldnt we be able to expose "key handles" rather than keys?
ie: javascript invoke getKeyFromPKCS11("modulename") and "#1" is
returned, but can be used.
> Traditional signed code is IMO rather lame since anybody can buy
> a valid code-sign certificate. I.e. a code signature from someone
> you never heard about is doesn't add much to the table.
Agree
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
