- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Sat, 28 Jul 2012 20:52:18 +0200
- To: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
I'm trying to follow the discussions but I find myself lost here. This is my take on the subject: Domain-bound keys --------------------------- For domain-bound keys the scope is restricted to the keys that the Issuer/RP created. An opaque domain-local KeyID should be sufficient. Domain-bound keys should (at least in my mind) be constrained to a specific client-defined container. The need for UI selection seems limited. If the Issuer/RP can's keep track on its own operations it would be wrong to let the user take this burden. Non-bound keys --------------------- Non-bound keys need a combination of UI selection and filter parameters. For UI-selections you also need key pinning. Key look-up API functions are likely to create privacy issues. Algorithm filtering ------------------------- If you have no idea what the keys the client has you have a problem. Algorithm filtering doesn't seem to be the right "cure". SKS additions for non-bound keys ---------------------------------------------- All keys must have an X.509 certificate as ID regardless if it is a PKI key or not. Keys should be fitted with logotypes to make UI selections easier. Anders
Received on Saturday, 28 July 2012 18:53:04 UTC