- From: Henry Story <henry.story@bblfish.net>
- Date: Sat, 6 Aug 2011 11:38:08 +0200
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: "public-identity@w3.org" <public-identity@w3.org>
On 6 Aug 2011, at 10:04, Anders Rundgren wrote: > http://lists.w3.org/Archives/Public/public-html/2011Aug/0033.html > > W3C is like PKIX working with the idea of upgrading existing schemes > rather than starting with a requirement specification and see where > that leads you. > > I don't think W3C's revised <keygen> will go anywhere because a 2-phase > protocol doesn't really cut it. Apple's already deployed scheme for iPhone > is considerably more powerful and user-friendly. The MD5 situation can be mitigated by the server using a time based challenge. This can reduce the attack surface to a few minutes. I doubt md5 is that bad. But better security would be better of course. I wrote this up the different ways of creating certificates here http://www.w3.org/wiki/Foaf%2Bssl/Clients#Support_for_easy_creation_of_certificates What I am still not clear about is what could go wrong. I thought I had understood that for a while, but I realised I am not clear about that. After all a public certificate is no use if you do not have the private key corresponding to the public key published in the certificate. So even if someone took the public key generated by the browser there is not much they could do with it. Can you fill be in again here? I feel like there is something I am missing here, and I would like to fill in the whole in the wiki above. By the way I don't see how what Apple is doing could have a better user interface. The user interface for keygen is: click a button. Unless they move to mind reading... Henry > > Anders > Social Web Architect http://bblfish.net/
Received on Saturday, 6 August 2011 09:38:53 UTC