Smart Card and WebCrypto (Re: On the future of <keygen> and application/x-x509-*-cert MIME handling)

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Smart Card and WebCrypto (Re: On the future of <keygen> and application/x-x509-*-cert MIME handling)

Tim Guan-tin Chien
It's also worthy to point out many nation-state deploys Smart Card
identifications (despite the privacy concern), allow it's citizens (or
subjects) to authenticate with government services online.

Filing income tax online is the only use case for me personally to use
an Windows VM (for IE & ActiveX) or a Java plug-in. Web has so far
failed to fulfill this use case as essential and certain as death [1].

In Taiwan, 45% of tax filing is through Smart Cards online [2] this
year. The alternatives would be go down to the tax office to file it
on paper, or authenticate in person to get the income manifest *and*
file online with the authenticated passcode printed on the manifest.
WebCrypto could save some trees by preventing people from having to do
that.

(I am not sure these are the right mailing list for raising the use
case -- please advice if this should go somewhere else.)

Thanks,


Tim

[1] https://en.wikipedia.org/wiki/Death_and_taxes_%28idiom%29
[2] https://tw.news.yahoo.com/%E8%87%AA%E7%84%B6%E4%BA%BA%E6%86%91%E8%AD%89%E7%B6%B2%E8%B7%AF%E5%A0%B1%E7%A8%85-%E5%86%8D%E5%89%B5%E6%96%B0%E9%AB%98-093200374.html

On Thu, Aug 20, 2015 at 8:39 PM, helpcrypto helpcrypto
<[hidden email]> wrote:
> I know a lot of colleagues with the same problem, and that's why there has
> been a rumble about "out of scope smartcards on Webcrypto".
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Smart Card and WebCrypto (Re: On the future of <keygen> and application/x-x509-*-cert MIME handling)

Anne van Kesteren
On Sun, Aug 30, 2015 at 7:33 AM, Tim Guan-tin Chien
<[hidden email]> wrote:
> It's also worthy to point out many nation-state deploys Smart Card
> identifications (despite the privacy concern), allow it's citizens (or
> subjects) to authenticate with government services online.

It seems a potential future for that which works within the web's
security model is FIDO, see

  https://fidoalliance.org/
  https://support.google.com/accounts/topic/6103521

I don't think we're currently working on this though.


--
https://annevankesteren.nl/
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Smart Card and WebCrypto (Re: On the future of <keygen> and application/x-x509-*-cert MIME handling)

Tim Guan-tin Chien
Thanks for the note.

On Sun, Aug 30, 2015 at 1:50 PM, Anne van Kesteren <[hidden email]> wrote:

> On Sun, Aug 30, 2015 at 7:33 AM, Tim Guan-tin Chien
> <[hidden email]> wrote:
>> It's also worthy to point out many nation-state deploys Smart Card
>> identifications (despite the privacy concern), allow it's citizens (or
>> subjects) to authenticate with government services online.
>
> It seems a potential future for that which works within the web's
> security model is FIDO, see
>
>   https://fidoalliance.org/
>   https://support.google.com/accounts/topic/6103521

Indeed, banks in Taiwan are slowly rolling out OTA based
authentications primary mobile app banking users, despite 100% of the
ATM cards are already smart cards (required by legal mandate against
forgery since 2006) and you can already access back accounts from
"WebATM" websites & smart card readers with -- again, ActiveX or Java
plug-in.

I can't argue if either is securer or "better" compare to another, but
it's important to acknowledge we cannot change the banking industry or
government IT service industry over night by refusing providing
solutions.

> I don't think we're currently working on this though.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Smart Card and WebCrypto (Re: On the future of <keygen> and application/x-x509-*-cert MIME handling)

Tim Guan-tin Chien
On Sun, Aug 30, 2015 at 5:37 PM, Tim Guan-tin Chien
<[hidden email]> wrote:

>> It seems a potential future for that which works within the web's
>> security model is FIDO, see
>>
>>   https://fidoalliance.org/
>>   https://support.google.com/accounts/topic/6103521
>
> Indeed, banks in Taiwan are slowly rolling out OTA based
> authentications primary mobile app banking users, despite 100% of the
> ATM cards are already smart cards (required by legal mandate against
> forgery since 2006) and you can already access back accounts from
> "WebATM" websites & smart card readers with -- again, ActiveX or Java
> plug-in.

Sorry, this should be s/OTA/OTP/ -- "one time password" devices and
authentications.

(too much FxOS for me...)
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Smart Card and WebCrypto (Re: On the future of <keygen> and application/x-x509-*-cert MIME handling)

Anne van Kesteren
In reply to this post by Tim Guan-tin Chien
On Sun, Aug 30, 2015 at 11:37 AM, Tim Guan-tin Chien
<[hidden email]> wrote:

> Indeed, banks in Taiwan are slowly rolling out OTA based
> authentications primary mobile app banking users, despite 100% of the
> ATM cards are already smart cards (required by legal mandate against
> forgery since 2006) and you can already access back accounts from
> "WebATM" websites & smart card readers with -- again, ActiveX or Java
> plug-in.
>
> I can't argue if either is securer or "better" compare to another, but
> it's important to acknowledge we cannot change the banking industry or
> government IT service industry over night by refusing providing
> solutions.

Well, if they're using ActiveX or Java (both seem rather terrible from
a security perspective, but okay), it seems they're not using <keygen>
either, so that solution was probably not sufficient either way.

I agree there needs to be a solution of sorts, but it might take a
while until we figure something out that works for the web and world
at large.


--
https://annevankesteren.nl/
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Smart Card and WebCrypto (Re: On the future of <keygen> and application/x-x509-*-cert MIME handling)

helpcrypto helpcrypto
On Sun, Aug 30, 2015 at 12:10 PM, Anne van Kesteren <[hidden email]>
wrote:

> it seems they're not using <keygen> either, so that solution was probably
> not sufficient either way.
>


At least in Spain, <keygen> is the only way to generate a key pair inside
smartcard (using Firefox) before sending PKCS#10 to CA.
Then, you go to the office to verify your identity and when done you can
download the X509 cert inside the card.
Hence you have "qualified signature", to be able to do taxes/whatever
online.

Anyhow, I would love to know, if <keygen> removal its going to happen, when
it will be. 4Q-2015? 2Q-2016?
Regards
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Smart Card and WebCrypto (Re: On the future of <keygen> and application/x-x509-*-cert MIME handling)

Joseph Lorenzo Hall
In reply to this post by Anne van Kesteren
On Sun, Aug 30, 2015 at 1:50 AM, Anne van Kesteren <[hidden email]> wrote:

> On Sun, Aug 30, 2015 at 7:33 AM, Tim Guan-tin Chien
> <[hidden email]> wrote:
>> It's also worthy to point out many nation-state deploys Smart Card
>> identifications (despite the privacy concern), allow it's citizens (or
>> subjects) to authenticate with government services online.
>
> It seems a potential future for that which works within the web's
> security model is FIDO, see
>
>   https://fidoalliance.org/
>   https://support.google.com/accounts/topic/6103521
>
> I don't think we're currently working on this though.

(from the inveterate lurker...)

I've said this to a number of FF folks but it would be great to get
FIDO U2F support in FF; the U2F-enabled yubikeys/harware tokens etc.
are a great, usable 2-factor technology, but it's hard to recommend
people use them when they only work in Chrome. :/

best, Joe

--
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
[hidden email]
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security