>> ie: javascript invoke getKeyFromPKCS11("modulename") and "#1" is
>> returned, but can be used.
>
> How do you envision that this access should be controlled?
> Here imagine that you have dozens of keys, not just a single key in a smart
> card.
The same way as SSL client authentication: with a dialog letting the
user select between the certs stored on that pkcs#11.
> A difference to keys compared to for example "your location" (which is
> exclusively your resource) is that keys in most cases are given to users
> by external providers. The providers do not want their keys to be misused,
> particularly not by users who accidentally made the wrong trust assertion.
IIUC, you mean "keys from A certificate authority intended to be used
in domain X shouldnt be (ab)used by domain Y"?
Is that what you mean?
> A scheme that doesn't take this in account IMO has little chance of getting
> market acceptance.
Maybe i didnt explained myselft properly. Im not suggesting a "new
scheme", just making this JS crypto library "backwards compatible"
with the system currently using.
> In my professional life I deal with PKIs for EAC (Extended Access Control)
> which is used in e-passports for selective access to biometric information.
> Using EAC it is the *passport* that grants access based on credentials
> provided
> by the inspection systems so what I'm proposing is by no means a "novelty";
> it just haven't reached the web. Yet.
As with other issues, i probably lack of needed skills and knowledge
to discuss these things. Im just a developer which uses Java applets
cause theres no better alternative.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
