W3C home > Mailing lists > Public > public-identity@w3.org > August 2011

Re: W3C's Enrollment Specification

From: Henry Story <henry.story@bblfish.net>
Date: Sat, 6 Aug 2011 11:38:08 +0200
Cc: "public-identity@w3.org" <public-identity@w3.org>
Message-Id: <103BCA2E-7913-4C92-8A56-06779B12EB51@bblfish.net>
To: Anders Rundgren <anders.rundgren@telia.com>
On 6 Aug 2011, at 10:04, Anders Rundgren wrote:
> http://lists.w3.org/Archives/Public/public-html/2011Aug/0033.html
> W3C is like PKIX working with the idea of upgrading existing schemes
> rather than starting with a requirement specification and see where
> that leads you.
> I don't think W3C's revised <keygen> will go anywhere because a 2-phase
> protocol doesn't really cut it.  Apple's already deployed scheme for iPhone
> is considerably more powerful and user-friendly.

The MD5 situation can be mitigated by the server using a time based challenge.
This can reduce the attack surface to a few minutes. I doubt md5 is that bad.
But better security would be better of course.

I wrote this up the different ways of creating certificates here


What I am still not clear about is what could go wrong. I thought I had understood 
that for a while, but I realised I am not clear about that. After all a public 
certificate is no use if you do not have the private key corresponding to the public key
published in the certificate. So even if someone took the public key generated by the browser
there is not much they could do with it.

Can you fill be in again here? I feel like there is something I am missing here, and I would
like to fill in the whole in the wiki above.

By the way I don't see how what Apple is doing could have a better user interface.
The user interface for keygen is: click a button. Unless they move to mind reading...


> Anders

Social Web Architect
Received on Saturday, 6 August 2011 09:38:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:00:47 UTC