- From: Paul Lambert <paul@marvell.com>
- Date: Thu, 15 Jan 2015 11:31:58 -0800
- To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Harry Halpin <hhalpin@w3.org>, GALINDO Virginie <Virginie.Galindo@gemalto.com>
- Message-ID: <D0DD4D27.58830%paul@marvell.com>
In looking at the priority list … discovery of devices and keys is a high priority. IMHO a very good starting point would be the delivery of a key centric form of identifier. Users at some point need to identify a device. If every secure device has some form of public/private key, a unique identifier should be created. Such an identifier would need to be: - unique per ‘persona’ Persona being a broadly defined container for a device or application identity and it’s associated behavior - able to support a diversity of cipher suites (including a diversity of ECC curves) - must support new curves from IETF CFRG - provide optional cipher suite privacy - access to a key identifier should not disclose it’s underlying algorithms unless already known - machine readable and web usage friendly (e.g. No ‘<‘) - human readable for validation of Id - easily readable with no display characters that might be confused (excluded characters 0O I1l 5S VU ) - case insensitive for ease of reading and possible entry - display aways in upper case (consistent and readable) - always accept upper or lower case - suggest: 26upper/lower + 10 numeric – 9 excluded = 27 Leading to base 27 encoding, or base 29 if UV allowed - allow and define a small set of separators for readability - identifier encoding must provide strong binding (e.g. Hash) to: - cipher suite - indicates type of public key ands it’s encoding and usage - includes associated encryption, hash, etc. - value of the associated public key - provide optional privacy features to mask pubic use of identity The idea is that any public key based identity could be represented universally by a unique identifier for any device, thing, application, server, service, whatever. A worked example might look like: JEQG-FF4M-7HBF-QNH3-CKYE Paul Dear all, Web Crypto WG charter [1] will end by the end of March. We need to prepare the next charter of Web Crypto. As a reminder, the conversation has started on this page : https://www.w3.org/Security/wiki/IG/webcryptonext_draft_charter Feel free to add you ideas and suggestions on the wiki and/or expose your opinion and question on the public-webcrypto@w3.org<mailto:public-webcrypto@w3.org> or public-webcrypto-comment@w3.org<mailto:public-webcrypto-comment@w3.org> (for non W3C Web Crypto WG members). Regards, Virginie [1] http://www.w3.org/2011/11/webcryptography-charter.html ________________________________ This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited. E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender. Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Received on Thursday, 15 January 2015 19:32:30 UTC