W3C home > Mailing lists > Public > public-webcrypto@w3.org > July 2014

Workshop item to be discussed

From: 조상래 <sangrae@etri.re.kr>
Date: Fri, 18 Jul 2014 08:24:24 +0000
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>
CC: "Web Cryptography Working Group (public-webcrypto@w3.org)" <public-webcrypto@w3.org>, "Harry Halpin (hhalpin@w3.org)" <hhalpin@w3.org>
Message-ID: <2C9D74CFB4E39C4AB170D5AAB41B21D95B6FF31F@SMTP3.etri.info>
Hello,

In the coming workshop I would like to explain and discuss the following three items if possible, which are quite inter-related each other. The first two topic is the main theme I will talk in more detail. The last one is a short introduction of our research direction.

Working with WebCrypto API
Currently we are developing authentication and digital signature services using WebCrypto API. In this development, we are building a certificate management library in JavaScript, which is called “polyfill”. WebCrypto API is called for cryptographic functions such as key generation, hashing, digital signature and certificate management service is implemented using only web technology such as JavaScript and HTML5. In the workshop, we will talk more detailed technical approach. This will demonstrate how WebCrypto API is applied extensively for authentication and digital signature services.

Certificate with hardware token
A private key and certificate issued from a CA server are usually stored in the system as a file. Of cause the private key is stored in encrypted format. However, any malicious code can steal those private key files. This is a very serious problem in Korea. The solution is to use a secure element or hardware token. Therefore last year we developed the program called TouchSign for secure authentication and digital signature solution. TouchSign uses a hardware token, which is a smartcard with cryptographic function and NFC. Now the private key is secure since it never leaves out of smartcard. When you need to authenticate or sign digitally, you can just touch your card to your smartphone. We would like to demonstrate TouchSign and express its technical aspect in the workshop.

Korean PKI with FIDO
PKI in Korea is widely deployed and extensively used in various financial transaction. However the solution we are using is not for smart mobile environment. User still need to type a password to sign digitally in the smartphone display. If you can combine Korean PKI with FIDO, then we can use more secure and convenient FIDO authenticator for better user experience. We think that Korean PKI will be synergized by FIDO. In the workshop, we would like to briefly introduce what our intension is and discuss about any technical or standard implication.

I will try to submit a position paper by the end of next week.
Best Wishes
Sangrae Cho
===========================================================
Sangrae Cho
Authentication Research Team
ETRI (Electronics and Telecommunications Research Institute)
218 Gajeongro, Yuseong-Gu, Daejeon, 305-700, KOREA
Phone : +82-42-860-6939   Fax : +82-42-860-1471
===========================================================

From: GALINDO Virginie [mailto:Virginie.Galindo@gemalto.com]
Sent: Monday, July 14, 2014 9:43 PM
To: public-webcrypto-comments@w3.org; helpcrypto helpcrypto; Harry Halpin
Subject: Re: Hardware tokens support + Batch sign (AGAIN)


Hello,

anyone can attend the W3C workshop scheduled on 10/11h of sept in Mountain View, you need to send your expression of interest, as indicated on the workshop website. See http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/Overview.html


Feel  free to ask any further question to me or Harry (copied).

Regards,

Virginie



---- helpcrypto helpcrypto a écrit ----


Hi.


I readed you are going to discuss about this next September. Will it be possible to attend for the conference? Do you have date/any details about the meeting?
Is there anything I (anyone) could do to prove/encourage the smartcard adoption/coverage on Webcrypto/Key discovery spec?


Bonus:
As stated in [1] you consider a "web data signing" use case. As I exposed before, we deal with "batch signing process" (for example, a teacher signing 200 student gradebooks) with just providing the PIN once. Have you considered this as valid a use-case? Is there any room for discussion?

[1] http://www.w3.org/2012/webcrypto/wiki/Use_Cases#Signing_data_using_a_smart_card


Thanks a lot.
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Received on Friday, 18 July 2014 08:25:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:23 UTC