W3C home > Mailing lists > Public > public-webcrypto-comments@w3.org > October 2012

Re: crypto-ISSUE-15: Discovering certificates associated with (private) keys

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Tue, 16 Oct 2012 10:55:28 +0200
Message-ID: <507D2100.3090409@telia.com>
To: Samuel Erdtman <samuel@erdtman.se>
CC: David Dahl <ddahl@mozilla.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Mountie Lee <mountie.lee@gmail.com>
Although Samuel and I advocate different solutions, they have a
couple of very important things in common:

- Credentials cannot be used "as is", they need to be reissued
- Presumes fairly low-level scanning of platform/browser key-stores

So now there are *two* proposals!  Maybe there's yet another proposal hidden
deep down in the WG email-list as well?  I leave that to David to sort out :-)

Anders

On 2012-10-16 10:33, Samuel Erdtman wrote:
> Hi
>
> Since Im not yet a member of the group ill send some thoughts here.
>
> First It would be very useful to address certificates and there
> attributes since it is used everywhere in our use-cases (Technology
> Nexus) we do not handle keys without certificates. Therefor I think
> that certificates even though it is a secondary use-case in the
> charter should be addressed if possible.
>
> I have looked at Anders proposal and it could be one part of solving
> our use-cases. However I would like to describe an alternative
> solution that solves the same part of the problem but from a slightly
> different angle.
>
> I would like to have keys bound to origins (lets not open the
> Pandora's box of breaking same origin policy). I would also like keys
> that is per-provisoned to be tagged with a domain possible with
> several domains and wildcards for sub-domains. One solution for
> tagging keys could be a certificate attribute. By this solution
> specific domains could list all keys that they own in a way that is
> consistent with the rest of the there GUI i.e. not like client-SSL
> works today. To handle the obvious need for cross origin signing I
> would like the site wanting to sign something to load an
> iframe/popup/tab with the keys owners url and use e.g. postMessage to
> ask for a signature/encryption and the owner site will have to list
> keys and ask user for pin etc. I know might this best suites
> asymmetric keys and signing (i.e. PKI) but that is our most central
> use-case.
>
> Cheers
> //Samuel Erdtman
> Product Manager
> Technology Nexus AB
>
>
>
> On Mon, Oct 15, 2012 at 6:28 PM, Anders Rundgren
> <anders.rundgren@telia.com> wrote:
>> On 2012-10-15 17:57, David Dahl wrote:
>>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 10/13/2012 12:08 AM, Anders Rundgren wrote:
>>>> http://lists.w3.org/Archives/Public/public-webcrypto/2012Oct/0066.html
>>>>
>>>> Because this what the plugin folks all over the world actually do, I
>>>> concur with Mountie: "The time is NOW".
>>>>
>>>> There is (as you should know by now) also a proposal for this. It's
>>>> incompatible with most vendors' cryptographic platforms but that may be the
>>>> price to pay when you want (?) to challenge proprietary one-purpose
>>>> solutions with standards. Nobody said it was easy either :-)
>>>>
>>>> David, since you initiated the "web crypto craze", what's your take on
>>>> this?
>>> Anders:
>>>
>>> Are you referring to your proposal?
>>
>>
>> Yes, is there any other concrete proposal?
>>
>>
>>> Is Mountie familiar with it?
>>
>>
>> I haven't received feedback from any WG member.  I believe Mountie rather
>> expects the WG to address this issue NOW (=ASAP).
>>
>>
>>>
>>> As far as supporting certs in the spec, with the low-level API it seems
>>> natural to do so, however, this is definitely not a primary issue to resolve
>>> in the near term.
>>
>>
>> A primary issue is resolving how you discover and access keys stored in
>> existing (often platform-wide) key-stores.
>> Without such a solution, the rest is probably of moderate interest to people
>> involved in large-scale deployments of OOB-proviosioned keys.
>>
>> Mountie mentioned some 25M people in Korea, and in Sweden half of the
>> population is equipped with certificates for on-line access.
>>
>> Cheers,
>> Anders
>>
>>
>>>
>>> Cheers,
>>>
>>> David
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>>>
>>> iQEcBAEBAgAGBQJQfDJdAAoJEJfYh8Nd7p0f0roH/09CJ+wojUl+U1opzcRJUlCV
>>> bRIbpG0TlxADmk16WlcXZqdWAXzE90IXcGqd4rv3dK+KZ5sOWSnaQziyNnjqXFGw
>>> KqpiD6u7Jl23HQ+IaePzgELPxbbDRqzFSLVaqaVN341nOGI6vKz4dJGWGk0H1g07
>>> IOsBaAiDN3fZNzndt5bkuZYc7tZ0IGmgcMQMCkpIPwK0lN5FM0ELGwih1LRMvb7Q
>>> FsPMs7fWaB2+bSQ5QgNMbJyaP1tdSBANAog/KxYN0Qrjq7nYZ2JcsVhWs1p3q6nz
>>> d4/IKf2JHsNjvfaMcgdVE+35uAhQEkjirYPZ73Mij/VaIe3OG1EfzVieaWc3UX8=
>>> =fxM6
>>> -----END PGP SIGNATURE-----
>>>
>>
>>
>
Received on Tuesday, 16 October 2012 08:56:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 16 October 2012 08:56:14 GMT