W3C home > Mailing lists > Public > public-identity@w3.org > March 2012

Re: Beyond HTTP Authentication: OAuth, OpenID, and BrowserID: Meeting on March 29th at IETF83

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Tue, 20 Mar 2012 12:39:39 +0100
Message-ID: <4F686C7B.1020202@telia.com>
To: Mo McRoberts <mo.mcroberts@bbc.co.uk>
CC: Hannes Tschofenig <hannes.tschofenig@gmx.net>, public-identity@w3.org, Harry Halpin <hhalpin@w3.org>
On 2012-03-20 11:21, Mo McRoberts wrote:
> 
> On 20 Mar 2012, at 10:15, Anders Rundgren wrote:
> 
>> There is to my knowledge no SDO who have taken on secure key storage and
>> provisioning.  In TCG (which I'm a member of), secure key storage is on
>> the menu but the provisioning has been left to vendors to cater for.
> 
> *Tangentially related*, I blogged a little bit about secure provisioning the other day:
> 
> http://nevali.net/post/19391532575/provisioning-keys-and-provenance

*Highly related* I would say.

> 
> (if memory serves we've talked around this list in the past  so to be clear, I'm not claiming to have invented anything, just written it up)
> 
> As with everything, I'm sure there's a terribly good reason why somebody or other wouldn't want to implement such a thing.

According to a US government official I met in Washington DC, there is a
reason why provisioning is not a part of the US PIV smart card standard
and that spells "hardware vendor".  This has severely dwarfed the PIV
as a standard for other parties and in the end everybody lost.

I actually tried to purchase security hardware from a couple of vendors but
then I had to specify how many 10K (!) units I needed as well as signing NDAs.
I would also not be able to publish the code.  Case closed, or as I found
out later: Open Security Hardware is nowadays a viable alternative.

Anyway, bridging the gap from crypto hardware to the browser is actually
not a simple task.  Here is my take on the subject:
http://openkeystore.googlecode.com/svn/trunk/resources/docs/Efficient-Provisioning-of-Complex-Structures-Over-Unsecured-Channels.pdf

Anders


> 
> M.
> 
Received on Tuesday, 20 March 2012 11:40:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 20 March 2012 11:40:22 GMT