Re: What we were using public key authentication for from Eric Rescorla on 2016-03-30 (www-tag@w3.org from March 2016)

From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 30 Mar 2016 09:17:10 -0700
To: Graham Leggett <minfrin@sharp.fm>
Cc: Dave Longley <dlongley@digitalbazaar.com>, www-tag@w3.org, Tim Berners-Lee <timbl@w3.org>, Henry Story <henry.story@bblfish.net>, Melvin Carvalho <melvincarvalho@gmail.com>
Message-ID: <CABcZeBPB6niWcs+xejUqk+8a+Xr4G3aEzriTiTJNJVrGd+7c+w@mail.gmail.com>

On Wed, Mar 30, 2016 at 9:09 AM, Graham Leggett <minfrin@sharp.fm> wrote:

> On 30 Mar 2016, at 6:00 PM, Dave Longley <dlongley@digitalbazaar.com>
> wrote:
>
> > As a quick, temporary replacement for keygen, you should be able to use
> > forge (or forge + WebCrypto) to generate a keypair and wrap it in a
> > PKCS#12 container that can be downloaded via a link that, when clicked,
> > may bring up an import dialog in the user's browser. They may have to
> > save the file first before importing, I'm not sure.
> >
> > forge: https://github.com/digitalbazaar/forge
> >
> > There's some somewhat messy X.509 cert creation and PKCS#12 code that
> > could be adapted from this issue:
> >
> > https://github.com/digitalbazaar/forge/issues/211#issuecomment-85447100
>
> Does this guarantee that the key was a) generated on the client side only
> (and not anywhere else and injected into the conversation),


I do not believe you can do this with WebCrypto. Why do you believe that
this is a requirement?


and b) that this key cannot be subsequently exported and uploaded to some
> third party location under the control of third party server code?
>

WebCrypto does support this.

However, note that it does not support taking WebCrypto keys and inserting
them into the HTTPS stack

-Ekr



>
> If the answer is no to either, then this isn’t a replacement for keygen.
>
> Regards,
> Graham
> —
>
>
>

Received on Wednesday, 30 March 2016 16:18:49 UTC