W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2013

Re: Use case: Authenticate using eID

From: Mountie Lee <mountie@paygate.net>
Date: Thu, 9 May 2013 09:49:53 +0900
Message-ID: <CAE-+aYKcqVJx3i1DHsAkyEA=FQJpGWuvLiCuFT4ZyPS2SoidcQ@mail.gmail.com>
To: Nick Van den Bleeken <Nick.Van.den.Bleeken@inventivegroup.com>
Cc: Arun Ranganathan <arun@mozilla.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Hi.
eID in EU and personal certificate in KR is almost same.
we also need cross-origin exceptions from current API.

when I think the "bridge" between origin-specific and cross-origin policies,
following bridges can be considered.

- Certificate Trust Chain
if the certificate is valid up to UA's trusted root CA, allow cross-origin
operation with some restrictions

- CORS
currently CORS is for remote resources.
but we also can use CORS policy for our origin specific key issue.

if the key-A has the origin-A,
when user visit origin-B, the origin-A can be listed in the header of
origin-B.

-------

the cross-origin operation can be allowed with Certificate Chain and CORS
combinations.



On Wed, May 8, 2013 at 8:54 PM, Nick Van den Bleeken <
Nick.Van.den.Bleeken@inventivegroup.com> wrote:

> Arun,
>
> >> Get access to government applications that require authentication based
> on your real identity using your eID card (e.g.: to fill in taxes, retrieve
> birth certificate, ...). Including the option to sign out.
> >>
> >> Requirements:
> >> * Identify an appropriate key (issued by the government) -> query
> facility
> >> * Export the certificate, including its certificate chain (the website
> has to validate that the public key was issued by the government)
> >> * Use the private key to perform basic cryptographic operations
> >
> >
> > Looks like Ryan's already asked the questions I had.  IF the answer is
> that arbitrary origins that cannot enter into a "code agreement"
> (caller/callee) drive this use case, then I'm not sure we're working on
> technology that can cater to this use case.  I do think that a subset of
> this use case can be achieved with a cross-origin model, which is why I
> think it may be one of our more compelling use cases (and I'm optimistic
> we'll have a "flagship" cross-origin use case that illustrates what can be
> done outside origin-restricted use of this API).
> Our initial Use case was indeed 'available to any arbitrary web
> application (without a specific list of origins that should have access,
> nor any other element that limits access besides the end-user giving
> access). During the FtF I had a lot of good and interesting discussions
> related to this use case with multiple people. Those discussions also
> uncovered areas that required further investigation to asses the privacy
> and security impact for those areas. Which started to convince me that this
> use case may indeed be out of scope for the first version of the API. I
> still think that it is a compelling and important use-case, but probably
> one bridge to far for now. I do think that this may change in the near
> future, because multiple browser based operating systems are popping-up,
> and they surely need a solution for this.
>
> That being said, we are internally evaluating those two possibilities
> (list of origins and other elements that limits access besides the end-user
> giving access), we will also try to setup a  meeting with one of the
> card-providers to get their opinion about it.
>
> >
> > In general, I'll create a  "documented for posterity" section in the use
> cases document, provided we make it clear that we're not pursuing a
> solution to those use cases within our API.
> >
> > -- A*
> >
>
> Nick
>
> ________________________________
>
> Inventive Designers' Email Disclaimer:
> http://www.inventivedesigners.com/email-disclaimer
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Thursday, 9 May 2013 00:50:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:17 UTC