Re: Using client certificates for signing from Mitar on 2016-02-24 (public-webappsec@w3.org from February 2016)

From: Mitar <mmitar@gmail.com>
Date: Tue, 23 Feb 2016 23:21:29 -0800
To: Crispin Cowan <crispin@microsoft.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKLmikP00Fhdtp+xzA5L+0trvHH0V5ww1dY5SA4WozZn-N_kOw@mail.gmail.com>

Hi!

You do not have to expose it in a way which is exportable.

And you do not expose the private key without user consent. To know if
the application is trustworthy or not to get access to the private key
can be addressed through other means. Some could trust the application
based on the server it is coming. Or you could not trust apps coming
from servers, but allow only browser extension the access.


Mitar

On Tue, Feb 23, 2016 at 11:01 PM, Crispin Cowan <crispin@microsoft.com> wrote:
> Exposing private keys seems like it is *never* a good idea. You use a private key to encrypt a challenge to prove possession with respect to the public key. Once the private key is disclosed, the value of the key pair is destroyed. Why would you want to do that?
>
> -----Original Message-----
> From: Mitar [mailto:mmitar@gmail.com]
> Sent: Tuesday, February 23, 2016 10:56 PM
> To: Martin Thomson <martin.thomson@gmail.com>
> Cc: public-webappsec@w3.org
> Subject: Re: Using client certificates for signing
>
> Hi!
>
> On Tue, Feb 23, 2016 at 7:46 AM, Martin Thomson <martin.thomson@gmail.com> wrote:
>> On 22 February 2016 at 21:42, Mitar <mmitar@gmail.com> wrote:
>>>> You don't *need* a certificate to sign.  WebCrypto is enough.
>>>
>>> You do. Because your certificate is signed by the state CA. And this
>>> makes your digital signature legally equivalent to the normal
>>> signature for almost any purpose. At least some countries in Europe
>>> have such laws.
>>
>> You do not.  The private key that you use to sign is not in a
>> certificate.  If the key pair that was used to generate the
>> certificate is made available to WebCrypto, that is enough.
>
> Oh, you are objecting to my terminology, but it seems that we agree otherwise. So you are agreeing that exposing the private key of the certificate's key pair to WebCrypto would be one of ways to address this? I agree. So how can we this available?
>
>
> Mitar
>
> --
> http://mitar.tnode.com/
> https://twitter.com/mitar_m
>



-- 
http://mitar.tnode.com/
https://twitter.com/mitar_m

Received on Wednesday, 24 February 2016 07:21:57 UTC