On 2014-10-24 07:11, Daniel Veditz wrote:
Your subject, "time to dump NSS", intimately affects NSS developers who will have to worry about replacing all the things NSS does for us before they can even start to think about the additional concepts.
I fully understand that.
If you're proposing a mechanism that can live on the side without actually dumping NSS then I suppose we can discuss it elsewhere,
According to Paul T Mozilla have such discussions but they are not public (HW-vendors like to plot in secrecy) so it is not obvious how to go forward. I would consider a task-force. The idea is creating a new secure core based on a TEE like Apple and Google have. The new core would indeed have to support legacy APIs like NSS.
but if it involves cryptography (how could it not?) then the tech.crypto group is the one the people who know about cryptography participate in.
It would be a combination of crypto and OS architecture, perhaps like: http://webpki.org/papers/SKS-KeyGen2_FullStack.pdf
There are several (sometimes competing) efforts within the W3 and IETF to create standards around concepts like key management. We're unlikely to implement a solution that doesn't get buy-in from other browser and server makers in that kind of forum.
So far nobody has done anything even close to what I'm proposing. Well, Apple may have but they didn't take it to standardization yet. I believe that's very wise, complex stuff must mature in the real world first. I don't think an SDO can take on a project of this kind. SDOs only deal with partial solutions which is why we during the 20 years with credit-card payments on the web haven't moved one inch forward to make them Secure AND Convenient. Anyway, you wouldn't necessarily have to start from zero in case Mozilla feels that the groundwork me and my colleges have done could be useful. Regards, Anders Rundgren
-Dan Veditz
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
