Re: WebAuth - Replacement for HTTPS Client Certificate Authentication

On 2013-10-23 19:52, Chris Mankowski wrote:
> My experience is that HTTPS CCA is very difficult to provision to a mobile workforce, and perhaps that's why it's not as widely used as it could be.  (and consequently supported)

I don't think anybody uses it in mobile phone except for very small-scale deployment and "experiments".
AFAIK, mobile banks _without_ exception_ rebuild this part themselves.

>
> I think it's a chicken and egg situation where improved provisioning support may lead to higher priority fixes, and better MITM protection for all who use the technology.
>
> For those who want to address the provisioning issue, here is a short list of issues in provisioning HTTPS CCA using the keygen element, with historic references and discussions on the topic:  http://security.stackexchange.com/a/27956/396

It was nice to see somebody else putting <keygen> where it truly belongs: in a museum :-)

Here is my wish-list:
http://webpki.org/papers/PKI/certenroll-features.pdf


>
> That being said, I look forward to seeing if I can adapt U-Prove to this framework, so that privacy can be preserved when authenticating to a website.

I would be very interested in that.  I'm currently not up to speed on U-Prove and it seems that Microsoft have given up the client-part and rather target the cloud.

Anders

>
>
>
>
>
> On Wed, Oct 23, 2013 at 10:55 AM, Anders Rundgren <anders.rundgren@telia.com <mailto:anders.rundgren@telia.com>> wrote:
>
>     Maybe of interest:
>
>     http://webpki.org/papers/PKI/webauth.pdf
>
>     Comments are welcome!
>
>     There are actually 3 independent standards targets in this proposal:
>
>     1. Browser bindings for JSON protocol invocations
>
>     2. JSON Clear-text Signature:
>     https://openkeystore.googlecode.com/svn/resources/trunk/docs/JSON-Clear-Text-Signature-Scheme.pdf
>
>     3. And then WebAuth itself
>
>     Cheers
>     Anders
>
>
>

Received on Wednesday, 23 October 2013 18:12:50 UTC