Re: Will the WebCrypto API allow discovery/enumeration of certificates? from Oliver Hunt on 2015-06-25 (public-webcrypto-comments@w3.org from June 2015)

From: Oliver Hunt <oliver@apple.com>
Date: Thu, 25 Jun 2015 13:05:55 -0700
To: Billy Simon Chaves <b.simon@hermes-soft.com>
Cc: Ryan Sleevi <sleevi@google.com>, Jeffrey Walton <noloader@gmail.com>, WebCrypto Comments <public-webcrypto-comments@w3.org>
Message-id: <5C133805-4AF4-4591-AAD0-1F67C48BF056@apple.com>

> On Jun 25, 2015, at 8:21 AM, Billy Simon Chaves <b.simon@hermes-soft.com> wrote:
> 
> Thans Ryan for you detailed answer,
> 
>> On Jun 25, 2015, at 12:57 AM, Ryan Sleevi <sleevi@google.com <mailto:sleevi@google.com>> wrote:
>> 
>> Billy,
>> 
>> I'm a bit surprised that you mentioned your countries CA, but then don't see the privacy implications. I'm not familiar with Costa Rica's eID scheme, but under much of the eIDAS regulation in the EU, the certificates contain a variety of uniquely-identifying PII, such as the users name, their government-assigned ID, and, in some cases, biometric or photographic identifiers.
>> 
> 
> I get your point. In my country, Costa Rica, certificates only have the subject's name and national ID.  That information is already public and you can download it from our national registry official site (http://www.tse.go.cr/descarga_padron.htm <http://www.tse.go.cr/descarga_padron.htm>). I understand that that would be unacceptable in many other countries.
> 

The privacy issue here is not performing the identity<->public key work, it’s that now a page is able to query your public key, and then reverse map to who you are. At that point the website knows your exact (and unchangeable) identity, and can therefore track you permanently across any domain without relying on any other form of signaling (such as cookies, etc).

—Oliver

Received on Thursday, 25 June 2015 20:06:26 UTC