- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 29 Jun 2011 13:19:56 +0200
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: "public-identity@w3.org" <public-identity@w3.org>
On 29 Jun 2011, at 11:07, Anders Rundgren wrote: > On 2011-06-29 09:21, Henry Story wrote: > <snip>> >> It would be great to have provisioning of such hardware devices be as easy as simple >> keygeneration in a browser. >> >> I have heard of the keygen2 proposal, >> http://webpki.org/auth-token-4-the-cloud.html >> but I am not sure what other use cases more the advanced keygens are trying to solve - >> probably because I have not yet hit those limits myself. > > A very basic bank-requirement that isn't met by current browser-vendor > "keygen" solutions is the ability defining a PIN to a key. > > In a typical WebID scenario a PIN would probably be a user option but in > the bank-world it is the bank that unilaterally sets the policy. The key that is sent to the server is a public key, so it is of no use without the private key. The keychain on the users computer is protected with a password usually, or the cryptokey is. The thing to protect after all is the private key, and that should not leave the device. So I am still not sure I understand this requirement. > A good "keygen" system should support different policies. You mean it should allow the user to tell the server what types of certificates are needed in return via some information sent in the keyrequest? If so can that not easily be done by adding extra attributes in forms? If the aim is to make the attributes in the forms machine readable, so that a robot would know by inspecting a form how to fill it out, then there are two simple solutions: - hardcode form parameters but specify the post end point to be of a certain type: a type where attributes have a well defined meaning. This is what we do in the pingback protocol http://bblfish.net/tmp/2011/05/09/ - develop an RDF markup for forms (I think there are some) The nice thing is that the above don't need changes to the browser. But I am probably missing something here. > A 10-pass protocol for setting a PIN may appear "slightly" over-engineered > but KeyGen2 does a few other tricks as well :-) What I'd love is at least for - keygen to be implemented on all cellphones, for better UIs. - Better UIs. Some are really too technical, such as Opera's which on many other respects is really good, as it gives the user to choose between way too many key strengths. - seamless integration with cryptokeys, so one can use one's cryptokey to start one's car and use it in an internet café. Henry > > Regards, > Anders > Social Web Architect http://bblfish.net/
Received on Wednesday, 29 June 2011 11:20:27 UTC