W3C home > Mailing lists > Public > public-web-security@w3.org > November 2014

Re: [WebCrypto.Next] Microsoft's Contribution

From: Mountie Lee <mountie@paygate.net>
Date: Wed, 26 Nov 2014 11:14:40 +0900
Message-ID: <CAE-+aYLWYbmxu6Piwc1BYPWYTMwygjPKjQVbpt2O0ugV1Dk8yg@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: Martin Paljak <Martin.Paljak@ria.ee>, "public-web-security@w3.org" <public-web-security@w3.org>
In my industries, they have big interest for Microsoft's proposal.
it actually touching important concepts

1. Key Ownership
- the design principle of current webcrypto api is "key provisioner (aka
the server) has the key ownership"
- if the key is owned by server side, the key will be bound into same
origin policy
- if the key is owned by user, the key can be used on multiple origins
- different principle of key ownership is also touching secure elements at
client side.

I believe the Web should be User Centric

2. Certificate Management
- the suggested API seams workable for CMP (Certificate Management Protocol)

3. Secure Computing Environment
- when the PC was compromised, SCE will protect sensitive client side
resources.

best regards
mountie

On Mon, Nov 17, 2014 at 4:14 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2014-11-17 07:25, Martin Paljak wrote:
>
>> Hello,
>>
>>
>> Huge thanks to the creators of this presentation! I feel that parts of it
>> target exactly the same sector (signatures with existing tokens) and
>> direction and mindset and resulting functionality that we are using within
>> Estonia and this makes a perfect collaboration target for us. This is
>> similar to what we currently target with "proprietary" (but open source)
>> plugins, just need to work on harmonizing the API to get comparable real
>> life functionality.
>>
>
> Hi Martin,
>
> Although the details are quite sketchy I have tried to "decipher" the
> documentation. These are my findings:
>
> It *seems* that relying party code has direct API access (which *not* the
> case with plugins).
>
> That is, it appears that *users* would need to decide (per site) if a
> site's *client code* is to be trusted or not.
> IMO, issuers like banks would probably not accept such an arrangement.
>
> OTOH, I may have gotten it all wrong due to the limited documentation :-)
>
> Cheers,
> Anders
>
>
>
>> Things like UI are still unclear from the slides but something that can
>> be worked upon.
>>
>>
>> Best,
>> Martin
>> ________________________________________
>> From: GALINDO Virginie [Virginie.Galindo@gemalto.com]
>> Sent: Wednesday, November 12, 2014 11:33
>> To: public-web-security@w3.org; public-webcrypto@w3.org;
>> Jeff.Hodges@PayPal.com; Anders Rundgren
>> Subject: [WebCrypto.Next] Microsoft's Contribution
>>
>> Dear all,
>> Please note that the contribution made by Israel and Vijay, related to
>> certificate management is now available on the web crypto WG wiki,
>> classified in the F2F meeting page, here https://www.w3.org/2012/
>> webcrypto/wiki/images/d/dd/CertAndKey_Management_
>> Requirements_for_WebCrypto_microsoft.pdf
>> This will be discussed when the group will be re-chartering.
>> Regards,
>> Virginie
>> ________________________________
>>   This message and any attachments are intended solely for the addressees
>> and may contain confidential information. Any unauthorized use or
>> disclosure, either whole or partial, is prohibited.
>> E-mails are susceptible to alteration. Our company shall not be liable
>> for the message if altered, changed or falsified. If you are not the
>> intended recipient of this message, please delete it and notify the sender.
>> Although all reasonable efforts have been made to keep this transmission
>> free from viruses, the sender will not be liable for damages caused by a
>> transmitted virus.
>>
>>
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net
Received on Wednesday, 26 November 2014 02:15:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:22 UTC