Re: W3C Web Crypto WG - using the appropriate mailing list from Mountie Lee on 2012-08-14 (public-webcrypto-comments@w3.org from August 2012)

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Tue, 14 Aug 2012 16:09:18 +0900
To: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Anders Rundgren <anders.rundgren@telia.com>
Message-ID: <CAE-+aYJhnweTHh_jaGFKG2qNLL3FcUeqWQh3M6rCdtcjzZygqA@mail.gmail.com>
Hi.
I will keep in mind the usage.

thanks.

On Tue, Aug 14, 2012 at 12:07 AM, GALINDO Virginie <
Virginie.GALINDO@gemalto.com> wrote:

> Mountie,****
>
> ** **
>
> Following your different exchanges over the public comment mailing with
> Anders, I think that it is important to mention that, being a Web Crypto WG
> member, you should be able to use the public-webcrypto@w3.org mailing
> list to interface with the Working Group on which only participants can
> send mails. ****
>
> Note that, FYI, Anders is not a participant of the Web Crypto WG - but
> monitoring accurately our activities. His view reflects his view and not
> necessarily the WG one. ****
>
> Regards,****
>
> ** **
>
> Virginie****
>
> Gemalto****
>
> Chair of the Web Crypto WG ****
>
> ** **
>
> Ps : thanks Anders for sharing your thoughts on the different topics and
> keeping this public comment mailing list so ‘lively’ ;-)****
>
> ** **
>
> ** **
>
> ** **
>
> *From:* mountie@paygate.net [mailto:mountie@paygate.net] *On Behalf Of *Mountie
> Lee
> *Sent:* lundi 13 août 2012 11:23
> *To:* Anders Rundgren
> *Cc:* public-webcrypto-comments@w3.org
> *Subject:* Re: UseCase : Strong Personal Identity Certificate by CA****
>
> ** **
>
> Hi.****
>
> I'm not requesting more functions.****
>
> ** **
>
> it is the recommendation for adding use case.****
>
> ** **
>
> regards****
>
> mountie.****
>
> On Mon, Aug 13, 2012 at 5:40 PM, Anders Rundgren <
> anders.rundgren@telia.com> wrote:****
>
> On 2012-08-13 10:08, Mountie Lee wrote:
> > Hi.
> > I meant
> > CA can issue personal certificate ONCE with strong identity validation.
> > I did not though two factor authentication or others PER USE.
> >
> > I can search http://www.symantec.com/verisign/digital-id
> > but the cert is not enough to trust the personal identity.
> >
> > just I expect the new ca service like "Digital ID with Extended
> Validation" as use case.
> > because of web crypto API.****
>
> Hi Mountie,
> I'm not sure what function you are requesting.
>
> Extended Validation is a CA policy for server certificates that are
> supposed to be "automatically" highly trusted by user agents.
> It is not possible to translate this to client certificates because the
> relying party is not your platform/user agent/web browser/etc. It is
> another system
>
> I don't think that even the concept of trusted personal identity is
> generally acknowledged.
> This tends to be rather local, national or community-based.
>
> I have a company certificate.  It is trusted within the company since it
> was internally issued using an approved process. However, outside of the
> company it is unknown (non-trusted).
>
> Best regards,
> Anders
>
> >
> > best regards
> > mountie.****
>
> >
> >
> > On Mon, Aug 13, 2012 at 4:35 PM, Anders Rundgren <
> anders.rundgren@telia.com <mailto:anders.rundgren@telia.com>> wrote:
> >
> >     On 2012-08-13 07:46, Mountie Lee wrote:
> >     > I think following use case can be considered.
> >     >
> >     > CA issues strong personal identity certificates.
> >     > it can be equivalent level to EVSSL on server side.
> >     >
> >     > current personal certificate issued by CA is just checking email
> validity.
> >     >
> >     > if web crypto API is widely accepted in major user agents
> >     > certificate in user agents will have more functionality by using
> API.
> >     >
> >     > as a CA, they can consider to issue new type of certificate with
> strong personal identity validation.
> >
> >     Hi Mountie,
> >
> >     Certificate provisioning is AFAIK outside of WebCrypto scope.
> >
> >     Banks and government agencies in the EU currently deploy their own
> software for provisioning since none of the user agents out there support
> provisioning of two-factor (key + PIN) authentication tokens [1].
> >
> >     Well, this wasn't entirely correct.  When there is a *business
> incentive* to support provisioning of two-factor tokens, it is (of course)
> honored:
> >
> http://googlecommerce.blogspot.co.uk/2012/08/use-any-credit-or-debit-card-with.html
> >
> >     Regards,
> >     Anders
> >
> >     1] If you only need a client certificate and HTTPS you can use
> existing schemes like <keygen> and "CertEnroll".
> >
> >     >
> >     > regards
> >     > mountie.
> >     >
> >     > =======================================
> >     > PayGate Inc.
> >     > THE STANDARD FOR ONLINE PAYMENT
> >     > for Korea, Japan, China, and the World
> >     >
> >     >
> >     >
> >     >
> >
> >
> >
> > =======================================
> > PayGate Inc.
> > THE STANDARD FOR ONLINE PAYMENT
> > for Korea, Japan, China, and the World
> >
> >
> >
> >****
>
> ** **
>
> =======================================****
>
> PayGate Inc.****
>
> THE STANDARD FOR ONLINE PAYMENT****
>
> for Korea, Japan, China, and the World****
>
> ** **
>
>

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Tuesday, 14 August 2012 07:10:07 UTC