W3C home > Mailing lists > Public > public-web-security@w3.org > January 2015

Re: [W3C Web Crypto WG] Rechartering discussion

From: Paul Lambert <paul@marvell.com>
Date: Thu, 15 Jan 2015 11:31:58 -0800
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
CC: "public-web-security@w3.org" <public-web-security@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Harry Halpin <hhalpin@w3.org>, GALINDO Virginie <Virginie.Galindo@gemalto.com>
Message-ID: <D0DD4D27.58830%paul@marvell.com>


In looking at the priority list …  discovery of devices and keys is a high priority.

IMHO a very good starting point would be the delivery of a key centric form of identifier.  Users at some point need to identify a device.  If every secure device has some form of public/private key, a unique identifier should be created.

Such an identifier would need to be:
 - unique per ‘persona’
   Persona being a broadly defined container for a device or application identity and it’s associated behavior
 - able to support a diversity of cipher suites (including a diversity of ECC curves)
     - must support new curves from IETF CFRG
     - provide optional cipher suite privacy
          - access to a key identifier should not disclose it’s underlying
            algorithms unless already known
 - machine readable and web usage friendly (e.g. No ‘<‘)
 - human readable for validation of Id
    - easily readable with no display characters that might be confused
        (excluded characters   0O  I1l  5S VU  )
    - case insensitive for ease of reading and possible entry
        - display aways in upper case (consistent and readable)
        - always accept upper or lower case
    -  suggest: 26upper/lower + 10 numeric – 9 excluded = 27
           Leading to  base 27 encoding, or base 29 if UV allowed
    - allow and define a small set of separators for readability
 - identifier encoding must provide strong binding (e.g. Hash) to:
   - cipher suite
       - indicates type of public key ands it’s encoding and usage
       - includes associated encryption, hash, etc.
   - value of the associated public key
 - provide optional  privacy features to mask pubic use of identity

The idea is that any public key based identity could be represented universally by a unique identifier for any device, thing, application, server, service, whatever.  A worked example might look like:

             JEQG-FF4M-7HBF-QNH3-CKYE


Paul


Dear all,

Web Crypto WG charter [1] will end by the end of March. We need to prepare the next charter of Web Crypto.

As a reminder, the conversation has started on this page :   https://www.w3.org/Security/wiki/IG/webcryptonext_draft_charter
Feel free to add you ideas and suggestions on the wiki and/or expose your opinion and question on the public-webcrypto@w3.org<mailto:public-webcrypto@w3.org> or public-webcrypto-comment@w3.org<mailto:public-webcrypto-comment@w3.org> (for non W3C Web Crypto WG members).

Regards,
Virginie

[1] http://www.w3.org/2011/11/webcryptography-charter.html

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Received on Thursday, 15 January 2015 19:32:30 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 15 January 2015 19:32:31 UTC