W3C home > Mailing lists > Public > public-web-security@w3.org > February 2015

[WebCrypto.Next] Comparison with HTTPS Client Cert Auth

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 19 Feb 2015 11:49:00 +0100
Message-ID: <54E5BF9C.4040705@gmail.com>
To: "public-web-security@w3.org" <public-web-security@w3.org>
HTTPS Client Certificate Authentication is supported by all browsers since almost 20 years back.
It exposes a fully standardized interface to Web Applications which simply is an URL.
In spite of that it is entirely proprietary with respect to integration in the browser platform
with implementations based on PKCS #11, CryptoAPI, JCE, .NET, NSS as well as working with a
huge range of secure key-containers like SIM, PIV, TEE, TPM, "Soft Keys".  This side of the
coin has not been standardized since it [provably] wasn't needed.

In: https://lists.w3.org/Archives/Public/public-webcrypto-comments/2015Jan/0000.html
Google's Ryan Sleevy writes:
   What you're looking for is
http://blog.chromium.org/2013/10/connecting-chrome-apps-and-extensions.html

This scheme could (after "Polishing" + W3C Standardization), without doubt support the same
powerful paradigm as HTTPS Client Certificate Authentication (Web-Portable/Platform-Proprietary),
for virtually any security application you could think of.

I don't understand why it is so hard admitting that we all (even including yours truly!),
have been looking for answers in the [entirely] wrong place.  It's only human to err :-)

Cheers,
Anders
Received on Thursday, 19 February 2015 10:49:30 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 19 February 2015 10:49:31 UTC