Re: ISSUE-15: Discovering certificates associated with (private) keys from Anders Rundgren on 2012-08-06 (public-webcrypto-comments@w3.org from August 2012)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Mon, 06 Aug 2012 20:59:55 +0200
To: Ryan Sleevi <sleevi@google.com>
CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <5020142B.1070007@telia.com>

On 2012-08-06 18:04, Ryan Sleevi wrote:
> On Mon, Aug 6, 2012 at 3:25 AM, Anders Rundgren
> <anders.rundgren@telia.com> wrote:
>> I believe the [correct] conclusions made by Ryan in
>> http://lists.w3.org/Archives/Public/public-webcrypto/2012Aug/0020.html
>> verifies my claim that WebCrypto doesn't address on-line bank-applications since the fairly few that depend on client-side Public Key technology, currently do this through pre-provisioned or on-line provisioned X.509 certificates.  This restriction is also valid for a pretty large number of other applications including e-government solutions.
>>
>> IMHO, it would be silly adding client-certificate support to WebCrypto without adding on-line provisioning as well.  However, that would also raise the techno-political bar to a new height, potentially blocking the entire mission.
>> I.e. the right action ought to be that client-certificates are moved to a specific WG.
>>
>> Related:
>> http://datatracker.ietf.org/doc/draft-ietf-pkix-est <http://datatracker.ietf.org/doc/draft-ietf-pkix-est/>
>>
>> Thanx,
>> Anders
>>
>>
> 
> Hi Anders,
> 
> I feel you may be misinterpreting my intentions. I certainly consider
> client certificates to be a very interesting and important use case,
> and certainly within the scope of our charter
> (http://www.w3.org/2011/11/webcryptography-charter.html - Secondary
> API features - "with a focus enabling the selection of certificates
> for signing and encryption")
> 
> My goal with this ISSUE, and my comments about omitting from the FPWD,
> were merely to scope our effort for the next month. I think it would
> be very useful to include, but before we go down that route, I want to
> make sure we're able to address primary features first.

Hi Ryan,

Thanx for the clarification. I still feel that the WebCrypto WG is ducking on the
provisioning issue which at least in my mind makes selection somewhat hypothetical.

It is also important keeping in mind that the #1 application for client-certificates
is user-authentication.  Although most crypto people probably believe it is lunacy,
quite a bunch of the big users of client certificates do not use TLS CCA (Client
Certificate Authentication) because of its many usability issues.  In both ends actually.

Regards,
Anders

> 
> Regards,
> Ryan
> 
>

Received on Monday, 6 August 2012 19:00:26 UTC