Re: WebID, BrowserID and NSTIC from Francisco Corella on 2011-08-01 (public-xg-webid@w3.org from August 2011)

From: Francisco Corella <fcorella@pomcor.com>
Date: Mon, 1 Aug 2011 10:07:46 -0700 (PDT)
To: Henry Story <henry.story@bblfish.net>
Cc: Peter Williams <home_pw@msn.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>, Karen Lewison <kplewison@pomcor.com>
Message-ID: <1312218466.22304.YahooMailNeo@web125511.mail.ne1.yahoo.com>

Henry,

Thanks for the link, and for the good discussion earlier this morning during the teleconference.

Regarding <keygen>, as I said in an earlier message I now realize that <keygen> causes the browser to send not only the public key but also an spkac message that includes a signature computed with the associated private key.  So the browser does prove ownership of the key pair.

Francisco

 
Francisco Corella, PhD
Founder & CEO, Pomcor
Twitter: @fcorella
Blog: http://pomcor.com/blog/
Web site: http://pomcor.com


>________________________________
>From: Henry Story <henry.story@bblfish.net>
>To: Francisco Corella <fcorella@pomcor.com>
>Cc: Peter Williams <home_pw@msn.com>; "public-xg-webid@w3.org" <public-xg-webid@w3.org>; Karen Lewison <kplewison@pomcor.com>
>Sent: Monday, August 1, 2011 5:40 AM
>Subject: Re: WebID, BrowserID and NSTIC
>
>
>
>
>On 31 Jul 2011, at 00:13, Francisco Corella wrote:
>
>> > > One difference is that, when you use <KEYGEN>, the browser that
>>> > > requests the certificate does not demonstrate knowledge of the private
>>> > > key, whereas in the proposed NSTIC architecture the certificate is
>>> > > issued by executing an issuance protocol (within the proposed TLS
>>> > > "server-initiated exchange") where the browser does have to
>>> > > demonstrate knowledge of the private key.
>>> http://old.nabble.com/The-%3Ckeygen%3E-element-td22921620.html
>>
>>Oops!  I thought <KEYGEN> just sent the public key to the server.  I
>>didn't realize it also sends a signature computed with the associated
>>private key, which demonstrates knowledge of the private key.  So use
>>of <KEYGEN> is equivalent to the
 issuance protocol in the proposed
>>NSTIC architecture.
>>
>>(For a issuing a credential such as an Idemix anonymous credential or
>>a U-Prove token, the issuance protocol involves an exchange of several
>>messages, so something like <KEYGEN> would not work.)
>>
>>Francisco
>>
>
>
>Thanks for pointing out the issues that could occur if the public key sent to the server were not signed. The HTML5 document goes into more detail in exactly how keygen works
>
>
>http://www.w3.org/TR/html5/the-button-element.html#the-keygen-element
>
>
>It also allows for a challenge to be sent by the server, though I have not yet
>found exactly what the use of this is.
>
>
>For older Internet Explorer browsers you can use an ActiveX component that is shipped by default with their browser and that works in a very similar way. I think we have this documented somewhere. If not we should.
>
>
>Henry
>
>
>>
>
>Social Web Architect
>http://bblfish.net/ 
>
>
>

Received on Monday, 1 August 2011 17:08:14 UTC