W3C home > Mailing lists > Public > public-identity@w3.org > February 2012

Re: W3C Web Identity Standardization Woes

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Thu, 09 Feb 2012 08:20:57 +0100
Message-ID: <4F3373D9.1050305@telia.com>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
CC: "public-identity@w3.org" <public-identity@w3.org>
On 2012-02-09 02:04, Henry B. Hotz wrote:
> 
> On Feb 8, 2012, at 11:50 AM, Anders Rundgren wrote:
> 
>> Anyway, I let you continue with whatever you do in peace; I stick to
>> the Open Source/Hardware route and skip standardization.  
> 
> I'm honestly not trying to be hostile, but if this is how you feel why are you here?

Well, I started by attending the workshop in May 2011.  After that
a bunch of interesting but completely unrelated "web identity"
initiatives surfaced which made me come to the conclusion that this
isn't for me at least.

BTW, I haven't seen a single posting from Microsoft or Apple regarding
DomCrypt.  I honestly believe they are not really here either...

> 
>> There are
>> no surefire successes in this space and I wish you luck.
>>
>> Anders
>>
>>>> On 02/08/2012 06:30 AM, Anders Rundgren wrote:
>>>>> IMO smart
>>>>> cards using non-domain-restricted credentials such as PIV must not be exposed
>>>>> on the web; they can only be used by trusted applications such as TLS.
>>>>>
>>>>> Anders
> 
> I have absolutely no idea what you are trying to say here. 

Well, from the discussions 2011 it seems that you are not alone :-(

If you take a look a Microsoft's CertEnroll you have a system which
is broken due to a misunderstood web security and privacy concept.


>  1) I'd hardly call TLS a "trusted application";

The TLS code is supplied by the browser vendor which differs in
trustworthiness from arbitrary transient code from a web-site.


> 2) A PIV card is a well-defined client credential, with good security properties.

Yes, but if you let arbitrary web code access it you won't be able
maintaining these properties.


>Obviously, if someone can *otherwise* break in to the machine it's 
> plugged into, it can be at least temporarily hijacked.
> Is that what you mean by "exposed on the web"?

No, see above.


> Is the phrase "non-domain-restricted credentials" as
> Microsoft-centric as it sounds, or are you referring to DNS?

If I understood it right the current DomCrypt presumes that
the issuer=relying party=domain for its keys.  This idea
has severe usage limitations but is at least secure in the
sense that an RP can only screw-up for himself.  Going beyond
that is a different story and AFAICT, possibly not even
related to DomCrypt.  It would have been great knowing a
bit more about things like Google's Wallet and Microsoft's
W8/TPM2 stuff but apparently we cannot.

Cheers,
Anders
member of Trusted Computing Group

> 
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
> 
Received on Thursday, 9 February 2012 07:21:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 9 February 2012 07:21:36 GMT