Use-cases for Web Crypto API
Posted on:There is several use-cases for web crypto api. Harry Halpin wrote:
- The ability to select credentials and sign statements can be necessary to perform high-value finanicial transactions as well as secure identity-related claims personal data.
- The provisioning and use of keys within Web applications can be used for scenarios like increasing the security of user authentication and to determine whether a particular device is authenticated for particular services.
- The signing and verifying Javascript code libraries can be used to determine their trustworthiness.
- Encrypting local storage (via sharing the key identifier with the server to decrypt when needed) can make valuable information therein more secure.
- The encryption of user communication such as near real-time messaging via Web applications.
Also I suggested some of things in mailinglist:
In case of a bill of credit card or telephone or personal medical data from hospital, the encrypted messages can be secure because anyone cannot see that. In Korea, many credit card companies and tax agencies send bills to customers via email attachement. Users can see it by their certificate. – little weired 🙁
Most of credit card transaction has been based on card number, expire date and CVC code. Recently VISA3D was developed similar with pin code. But, permantly, user certificate issued by credit card is more secure than previous methods. In Korea, major card companies have already used
certificate based card transations.
Most of company used SSL based VPN with pre-installed agent program, but the method of authentification is just pin code or one-time pasword. Certificate based VPN in web will be good market to many security companies and useful to users.
Some of contents can be paid by users and web developers can determine users and devices too. In that process, maintaining SSL servers for all of web contents are very big burden for IT companies. Web developers can treat only selected contents with light secured methods.
I want to add some of use-cases too.
1. Handling S-MIME certificate and encryption and decryption in web based email system. It’s very important problem for company based secret deals between internatioanl companies.
2. Handling XML Encryption via SOAP in web application. Despite of small cases, there are still SOAP based XML communications in govenments and big companies. This naturally can be migrated to web applications.