PSM/Korean Financial Transactions
From MozillaWiki
Today
- Korean e-commerce and e-banking works only in Internet Explorer, because it relies on an ActiveX control.
- "Other major browsers have resisted supporting ActiveX. Until now. Google Chrome has now decided to support ActiveX, but only in South Korea." - http://technode.com/2009/01/16/activex-regulations-in-south-korea-revisited/
Open Questions & Action Items
- What is KISA's recommendation for what we should do?
- What are the current regulations? Are the current regulations still mandating SEED? (bsmith heard that these regulations were being relaxed in order to support smartphones and other novel computing devices.)
- Besides the KISA security ActiveX control, are these sites using other ActiveX controls? If so, for what purpose?
- Who develops the ActiveX control? The Korean government?
- Who distributes the ActiveX control? Do websites make it available to users? Is it pre-installed on Korean computers? Does the government offer it for download?
- What API does the ActiveX control implement?
- Can we develop a NPAPI plugin that is implemented in terms of the ActiveX control?
- What is the license for the ActiveX control? Could we bundle it with Firefox? Is the Korean government willing to open-source the ActiveX control?
- If we develop an alternative implementation of the ActiveX control's functionality, to emulate it, would we need to have that implementation certified by some government organization? If so, what is the process?
- Does the ActiveX control require the KISA government root CA certificates to be installed in the Windows certificate store?
- Is our current SEED support in PSM/NSS sufficient? Do we need to expand it? (This is easy to do.) Do we need to have it certified by KISA?
- Do we need to start trusting the KISA root CA certificates to enable this functionality? Are the KISA roots acceptable according to our root CA policy? If not, can/should we need to limit how we trust the cert and distribute it anyway? See also Bug:335197.
- How widely distributed is the ActiveX control? That is, how many sites rely on it?
- Of the sites that rely on this functionality, how many of them would otherwise work (partially or completely) in Firefox? That is, are these sites all so IE-centric that they would need major changes to work in Gecko?
- We need to have a user of a Korean banking site walk through the process of installing the ActiveX control and logging in/out of affected sites and making transactions in IE, so that bsmith and kaie can understand what is happening.
References
- Web Crypto API proposed by Channy Yun: http://html5.creation.net/webcrypto-api/
- open bugs 335197, 545577, 516913
- fixed bugs 478839, 453234, which added the base SEED support
Hints at ActiveX control's API
Kookmin Bank uses an ActiveX encryption system. The control appears to be "XecureWeb", vendor SoftForum. The ActiveX control is exposed to web script through the following interface
nsIXecurePluginInstance.BlockDec( xgate_addr, cipher)); nsIXecurePluginInstance.BlockEnc ( xgate_addr, path, "", "POST" ); nsIXecurePluginInstance.BlockEnc ( xgate_addr, path, escape(posting_data), "POST" ); nsIXecurePluginInstance.BlockEnc(xgate_addr, "/", "", "GET"); nsIXecurePluginInstance.BlockEnc(xgate_addr, path, escape(qs),"GET"); nsIXecurePluginInstance.BlockEnc(xgate_addr,"/",plain,"GET"); nsIXecurePluginInstance.BlockEnc(xgate_addr,PATH,, "GET"); nsIXecurePluginInstance.DeleteCertificate ( escape(dn)); nsIXecurePluginInstance.EndSession( xgate_addr ); nsIXecurePluginInstance.GenerateCertReq( 1024 ); nsIXecurePluginInstance.InstallCertificate(cert_type, cert ); nsIXecurePluginInstance.LastErrCode(); nsIXecurePluginInstance.LastErrMsg()); nsIXecurePluginInstance.LastErrMsg(); nsIXecurePluginInstance.PutBigBannerUrl( xgate_addr, bannerUrl); nsIXecurePluginInstance.RenewCertificate2( ca_port, ca_ip, ca_type + 256 , pwd_fail ); nsIXecurePluginInstance.RenewCertificate2( crosscert_ca_port, crosscert_ca_ip, crosscert_ca_type + 256 , pwd_fail ); nsIXecurePluginInstance.RenewCertificate2( koscom_ca_port, koscom_ca_ip, koscom_ca_type + 256 , pwd_fail ); nsIXecurePluginInstance.RequestCertificate2 ( crosscert_ca_port, crosscert_ca_ip, ref_code, auth_code, crosscert_ca_type + 256 ); nsIXecurePluginInstance.RequestCertificate2 ( koscom_ca_port, koscom_ca_ip, ref_code, auth_code, koscom_ca_type + 256 ); nsIXecurePluginInstance.RequestCertificateEx2 ( ca_port, ca_ip, ref_code, auth_code,1 + 256 ,0,"","",1); nsIXecurePluginInstance.ShowCertManager(); nsIXecurePluginInstance.SignData (xgate_addr,escape(accept_cert),escape(plain),show_plain,escape(sign_desc) ); nsIXecurePluginInstance.SignData (xgate_addr,escape(yes_accept_cert),escape(plain),show_plain,escape(sign_desc) ); nsIXecurePluginInstance.SignData (xgate_addr,escape(yes_accept_cert_bill),escape(plain),show_plain,escape(sign_desc) ); nsIXecurePluginInstance.SignData (xgate_addr,escape(yes_accept_cert_sERP),escape(plain),show_plain,escape(sign_desc) ); nsIXecurePluginInstance.SignData2 (xgate_addr,escape(accept_cert),escape(plain),option,escape(sign_desc),pwd_fail);
(The above is actually the interface of an NPAPI control; the ActiveX control has the same interface.) The XecureWeb installation includes the following DLLs
$ ls /C/Program\ Files/SoftForum/XecureWeb/ActiveX ClientSM.exe Download MiraePKIX_v4.dll RestartIE.exe Unzip32.dll XCrSvr.exe XWSmartCard.dll XWebCLT.dll XWebCMP.dll XWebCS.dll XWebCertMng.dll XWebFileCLT.dll XWebFileRD.dll XWebSSL.dll XWebUI.dll XWebUpdate.dll XWebUtil.dll XecureASN_v20.dll XecureCMP_v20.dll XecureCRL_v20.dll XecureCSP_v20.dll XecureCTL_v20.dll XecureCodec_v20.dll XecureCrypto_v20.dll XecureFreeze.dll XecureIO_v20.dll XecureLDAP_v20.dll XecureNEAT_v20.dll XecureOCSP_v20.dll XecurePKCS12_v20.dll XecurePKCS5_v20.dll XecurePKCS7_v20.dll XecurePKCS8_v20.dll XecurePKC_v20.dll XecurePVD_v20.dll XecureST_v20.dll XecureTSP_v20.dll Zip32.dll conf log npxwebplugin.dll npxwebplugin_file.dll nsldap32v50.dll temp xwUACUpdatectl.dll xwUACWrapper.dll xwUACctl.dll
XWebCLT.dll implements the ActiveX entry points. npxwebplugin.dll implements the NPAPI entry points.