W3C home > Mailing lists > Public > public-web-security@w3.org > November 2014

Re: [Web Crypto Next] Lets start discussing !

From: helpcrypto helpcrypto <helpcrypto@gmail.com>
Date: Fri, 7 Nov 2014 09:53:31 +0100
Message-ID: <CAHMQSguOfFLAHL8zbVsK6anrwzV_zmed2r6HjdvXsthhO+xqZQ@mail.gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>
>
> On Thu, Nov 6, 2014 at 2:01 PM, GALINDO Virginie <
> Virginie.Galindo@gemalto.com> wrote:
>
    Hello helpcrypto,
>     Few answers :
>     - I am not sure Anders is a reference,  here, rather a passionated and
> talkative person :)
>
Probably a translation issue. I mean someone who is very participative and
active. ;)


    - See my last e-mail on rechartering to understand where w3c is, on
> accepting smart cards
>
Done. Thx


    - FIDO is not part today of W3C scope, you should ask them directly
> your questions.
>     Virginie
>
As usual, thanks for your time, patience and support.



On Thu, Nov 6, 2014 at 10:22 PM, Sanjeev Verma <s2.verma@samsung.com> wrote:

>  Hello HelpCrypto,
>
>
>
> It is true that FIDO is not an open organization but you can download the
> specs from their website.
>
> https://fidoalliance.org/specifications/download/
>
That doens't fix the problem of restricted participation ;)

Quoting you:
> IMHO it makes sense to work closely with FIDO on specific requirements
instead of looking for a parallel solution.
How could we (work closely with FIDO)?



>   FIDO U2F addresses a very different use case (primarily for mobile
> payment or strong authentication) —it allows a user to carry a Web
> Key-Chain in the hardware token. It generates a public-private key pair for
> a Relying Party and sends the public key & a key handle to the Relying
> party (RP)at registration time. The Relying party identifies the key
> through a key handle. Later it is used for authentication between the user
> and the Relying party: the user first authenticates to the RP using
> PIN/Password and then authenticates ( second factor) to the RP by signing
> the challenge using the  private key.
>
Sure, U2F self-explain pictures are clear on this.



>  You are talking about a different use case where the hardware token
> stores certs from different CAs to sign documents. FIDO specs currently do
> not address this use case.
>

> Probably you should have a look at the email conversation that I had with
> Siva. I was thinking more in terms of standardizing the Web App-Plugin
> interface ( “pipe”) that will accommodate both FIDO use case and the use
> case that you are referring to.
>
IIUC you are refereing to UAF, isnt it?. I will have a look on it.

My point is: FIDO is really cool to login without pass/U2F, but missed
(probably on purpose) the widely-used used-case of document signing.
I would love to see this included on a next version, adopted by browsers,
and we using it while ending with my painful relation with Java Applets.

Thanks a lot for your kind answers



On Thu, Nov 6, 2014 at 11:46 PM, Siva Narendra <siva@tyfone.com> wrote:

>  Agreed. The question is where does such an effort belong within W3C.
> Webcrypto WG may not
>  be the right place for it within W3C given the WG's charter. The "pipe"
> maybe best done in a
>  stand alone WG only because there are various efforts including
> unfinished ones such as the
>  Gemalto+Deutsche Telecom's SE API proposal to W3C.
>
Shall this discussion also be done at other place instead?



Regards
Received on Friday, 7 November 2014 08:54:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:22 UTC