W3C Web Crypto WG - using the appropriate mailing list from GALINDO Virginie on 2012-08-13 (public-webcrypto-comments@w3.org from August 2012)

From: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
Date: Mon, 13 Aug 2012 17:07:38 +0200
To: Mountie Lee <mountie.lee@mw2.or.kr>
CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Anders Rundgren <anders.rundgren@telia.com>
Message-ID: <076ED1F6CB375B4BB5CAE7873691360703902AD824D5@CROEXCFWP04.gemalto.com>

Mountie,

Following your different exchanges over the public comment mailing with Anders, I think that it is important to mention that, being a Web Crypto WG member, you should be able to use the public-webcrypto@w3.org<mailto:public-webcrypto@w3.org> mailing list to interface with the Working Group on which only participants can send mails.
Note that, FYI, Anders is not a participant of the Web Crypto WG - but monitoring accurately our activities. His view reflects his view and not necessarily the WG one.
Regards,

Virginie
Gemalto
Chair of the Web Crypto WG

Ps : thanks Anders for sharing your thoughts on the different topics and keeping this public comment mailing list so 'lively' ;-)



From: mountie@paygate.net [mailto:mountie@paygate.net] On Behalf Of Mountie Lee
Sent: lundi 13 août 2012 11:23
To: Anders Rundgren
Cc: public-webcrypto-comments@w3.org
Subject: Re: UseCase : Strong Personal Identity Certificate by CA

Hi.
I'm not requesting more functions.

it is the recommendation for adding use case.

regards
mountie.
On Mon, Aug 13, 2012 at 5:40 PM, Anders Rundgren <anders.rundgren@telia.com<mailto:anders.rundgren@telia.com>> wrote:
On 2012-08-13 10:08, Mountie Lee wrote:
> Hi.
> I meant
> CA can issue personal certificate ONCE with strong identity validation.
> I did not though two factor authentication or others PER USE.
>
> I can search http://www.symantec.com/verisign/digital-id
> but the cert is not enough to trust the personal identity.
>
> just I expect the new ca service like "Digital ID with Extended Validation" as use case.
> because of web crypto API.
Hi Mountie,
I'm not sure what function you are requesting.

Extended Validation is a CA policy for server certificates that are supposed to be "automatically" highly trusted by user agents.
It is not possible to translate this to client certificates because the relying party is not your platform/user agent/web browser/etc. It is another system

I don't think that even the concept of trusted personal identity is generally acknowledged.
This tends to be rather local, national or community-based.

I have a company certificate.  It is trusted within the company since it was internally issued using an approved process. However, outside of the company it is unknown (non-trusted).

Best regards,
Anders

>
> best regards
> mountie.
>
>
> On Mon, Aug 13, 2012 at 4:35 PM, Anders Rundgren <anders.rundgren@telia.com<mailto:anders.rundgren@telia.com> <mailto:anders.rundgren@telia.com<mailto:anders.rundgren@telia.com>>> wrote:
>
>     On 2012-08-13 07:46, Mountie Lee wrote:
>     > I think following use case can be considered.
>     >
>     > CA issues strong personal identity certificates.
>     > it can be equivalent level to EVSSL on server side.
>     >
>     > current personal certificate issued by CA is just checking email validity.
>     >
>     > if web crypto API is widely accepted in major user agents
>     > certificate in user agents will have more functionality by using API.
>     >
>     > as a CA, they can consider to issue new type of certificate with strong personal identity validation.
>
>     Hi Mountie,
>
>     Certificate provisioning is AFAIK outside of WebCrypto scope.
>
>     Banks and government agencies in the EU currently deploy their own software for provisioning since none of the user agents out there support provisioning of two-factor (key + PIN) authentication tokens [1].
>
>     Well, this wasn't entirely correct.  When there is a *business incentive* to support provisioning of two-factor tokens, it is (of course) honored:
>     http://googlecommerce.blogspot.co.uk/2012/08/use-any-credit-or-debit-card-with.html
>
>     Regards,
>     Anders
>
>     1] If you only need a client certificate and HTTPS you can use existing schemes like <keygen> and "CertEnroll".
>
>     >
>     > regards
>     > mountie.
>     >
>     > =======================================
>     > PayGate Inc.
>     > THE STANDARD FOR ONLINE PAYMENT
>     > for Korea, Japan, China, and the World
>     >
>     >
>     >
>     >
>
>
>
> =======================================
> PayGate Inc.
> THE STANDARD FOR ONLINE PAYMENT
> for Korea, Japan, China, and the World
>
>
>
>


=======================================

PayGate Inc.

THE STANDARD FOR ONLINE PAYMENT

for Korea, Japan, China, and the World

Received on Monday, 13 August 2012 15:08:14 UTC