Re: Proposed API Extension for X.509 Certificates and Smart Cards from Anders Rundgren on 2014-02-13 (public-webcrypto-comments@w3.org from February 2014)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 13 Feb 2014 07:03:54 +0100
To: Ryan Sleevi <sleevi@google.com>
CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Harry Halpin <hhalpin@w3.org>, GALINDO Virginie <virginie.galindo@gemalto.com>, Samuel Erdtman <samuel@erdtman.se>
Message-ID: <52FC604A.5040906@gmail.com>

On 2014-02-13 00:15, Ryan Sleevi wrote:
> I have not heard from a single participant with experience in smart cards or desiring smart cards who would desire to see all issued certificates re-issued to support the scheme.
>
> It also fails to take into the serious security considerations that would exist if a certificate was provisioned for example.com <http://example.com>, but then the certificate issuer lost control over example.com <http://example.com>.
>
> While you're correct that a proposal is a proposal, I think your time would be better served - as would those who are interested in CMP and more complex KMS - to first draft a set of problem statements and reach consensus on the problems that you're trying to solve, rather than continually approaching the WG with proposals that you believe solve your problem, but do not do so in a clear and direct way.

Dear Ryan,

Proposals tend to have pros and cons.  You have clearly identified a couple of weaknesses in the plot.

I'm cool with that.  Now I look forward seeing the *other* proposals that Virginie have indicated is in the workings.

Regarding the use-case, it's pretty straightforward:

                      "Blending traditional PKI (including how it is packaged and distributed), with WebCrypto."

Cheers,
Anders

>
>
> On Wed, Feb 12, 2014 at 1:33 PM, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     Ladies and Gentlemen,
>
>     A year ago I submitted a pretty complex proposal for adding X.509 and smart card capabilities
>     to WebCrypto based on a "bridging" scheme.  Approximately the same time a fellow developer
>     in this field Samuel Erdtman of NexusSafe suggested a much simpler way forward, albeit still
>     building on a bridge concept.
>
>     Following the golden rule that "less is more" I have with Samuel's permission merged a
>     minor portion of my API ideas with his concept:
>
>     http://webpki.org/papers/PKI/x509-webcrypto-extension-scheme.pdf
>
>     Enjoy!
>
>     Anders Rundgren
>
>

Received on Thursday, 13 February 2014 06:04:30 UTC