Re: WebCrypto API Developers Feedback from Mountie Lee on 2013-03-15 (public-webcrypto-comments@w3.org from March 2013)

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Fri, 15 Mar 2013 09:49:43 +0900
To: noloader@gmail.com
Cc: WebCrypto Comments <public-webcrypto-comments@w3.org>
Message-ID: <CAE-+aY+q+sEbxHvCGiVXvW=mJPiYQ-w6uvwJovUt_YniEG2CbQ@mail.gmail.com>

Hi.
I'm sure the certificate has many many issues in practice.

I'm not saying for infrastructure (PKI stands for Public Key Infrastructure)
just for focusing UA level.


On Fri, Mar 15, 2013 at 4:48 AM, Jeffrey Walton <noloader@gmail.com> wrote:

> On Thu, Mar 14, 2013 at 1:24 AM, Mountie Lee <mountie.lee@mw2.or.kr>
> wrote:
> > On Thu, Mar 14, 2013 at 1:53 PM, Matthias Dugué <mdugue@clever-age.com>
> > wrote:
> >>
> >> ...
> >> Finally, the use case for certificate management is missing (as a simple
> >> and attractive means to implement the user/application authentication).
> >> We're very impatient to see the outcome of your efforts to bring us a
> robust
> >> API to build crypto methods. But, as web applications developers, our
> first
> >> emergency is a simple to use and robust API, to deal with
> >> certificates/authentication, in order to prevent the security hole that
> is
> >> currently the login/password couple.
> >
> > certificate management issue is one of secondary issues.
> > I expect a draft version of certificate as a different document from
> current
> > API spec will be suggested working group soon.
> > My team is preparing the proposals and you can review and add your
> comment.
> Be careful here. We know PKI with Internet profiles (PKIX) has
> problems in practice.
>
> In the big picture, a certificate or public key (with its
> corresponding private key) is how we identify folks. Making
> certificate and public key management a secondary goal may have the
> unintended effect of leaving gaps in authentication.
>
> From my experience, I rejected a number of web or browser based
> applications for use at numerous firms due to authentication gaps
> (courtesy of PKIX and Public CAs) coupled with lack of client
> capabilities. There is some hand waiving here, since the data
> sensitivity level was also in play.
>
> At lower data sensitivity levels, many firms would accept the risk.
> Anything higher often resulted in rejection, even when executives
> wanted it. At least 5 'BoardPad' applications were rejected. BoardPad
> applications are the apps executives and board members want to use
> with their tablets for board meetings.
>
> Since you can't fix PKI, you have to improve client capabilities.
>
> Jeff
>
>
>
>
>
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Friday, 15 March 2013 00:50:28 UTC