W3C home > Mailing lists > Public > public-xg-webid@w3.org > August 2011

Re: WebID, BrowserID and NSTIC

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 1 Aug 2011 14:40:10 +0200
Cc: Peter Williams <home_pw@msn.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>, Karen Lewison <kplewison@pomcor.com>
Message-Id: <8154EF11-B54F-4545-9CF4-4FD84A962F88@bblfish.net>
To: Francisco Corella <fcorella@pomcor.com>

On 31 Jul 2011, at 00:13, Francisco Corella wrote:

> > > > One difference is that, when you use <KEYGEN>, the browser that
> > > > requests the certificate does not demonstrate knowledge of the private
> > > > key, whereas in the proposed NSTIC architecture the certificate is
> > > > issued by executing an issuance protocol (within the proposed TLS
> > > > "server-initiated exchange") where the browser does have to
> > > > demonstrate knowledge of the private key.
> > http://old.nabble.com/The-%3Ckeygen%3E-element-td22921620.html
> 
> Oops!  I thought <KEYGEN> just sent the public key to the server.  I
> didn't realize it also sends a signature computed with the associated
> private key, which demonstrates knowledge of the private key.  So use
> of <KEYGEN> is equivalent to the issuance protocol in the proposed
> NSTIC architecture.
> 
> (For a issuing a credential such as an Idemix anonymous credential or
> a U-Prove token, the issuance protocol involves an exchange of several
> messages, so something like <KEYGEN> would not work.)
> 
> Francisco

Thanks for pointing out the issues that could occur if the public key sent to the server were not signed. The HTML5 document goes into more detail in exactly how keygen works

http://www.w3.org/TR/html5/the-button-element.html#the-keygen-element

It also allows for a challenge to be sent by the server, though I have not yet
found exactly what the use of this is.

For older Internet Explorer browsers you can use an ActiveX component that is shipped by default with their browser and that works in a very similar way. I think we have this documented somewhere. If not we should.

Henry

> 

Social Web Architect
http://bblfish.net/
Received on Monday, 1 August 2011 12:40:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 1 August 2011 12:40:41 GMT