- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Tue, 16 Oct 2012 10:55:28 +0200
- To: Samuel Erdtman <samuel@erdtman.se>
- CC: David Dahl <ddahl@mozilla.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Mountie Lee <mountie.lee@gmail.com>
Although Samuel and I advocate different solutions, they have a couple of very important things in common: - Credentials cannot be used "as is", they need to be reissued - Presumes fairly low-level scanning of platform/browser key-stores So now there are *two* proposals! Maybe there's yet another proposal hidden deep down in the WG email-list as well? I leave that to David to sort out :-) Anders On 2012-10-16 10:33, Samuel Erdtman wrote: > Hi > > Since I´m not yet a member of the group ill send some thoughts here. > > First It would be very useful to address certificates and there > attributes since it is used everywhere in our use-cases (Technology > Nexus) we do not handle keys without certificates. Therefor I think > that certificates even though it is a secondary use-case in the > charter should be addressed if possible. > > I have looked at Anders proposal and it could be one part of solving > our use-cases. However I would like to describe an alternative > solution that solves the same part of the problem but from a slightly > different angle. > > I would like to have keys bound to origins (lets not open the > Pandora's box of breaking same origin policy). I would also like keys > that is per-provisoned to be tagged with a domain possible with > several domains and wildcards for sub-domains. One solution for > tagging keys could be a certificate attribute. By this solution > specific domains could list all keys that they own in a way that is > consistent with the rest of the there GUI i.e. not like client-SSL > works today. To handle the obvious need for cross origin signing I > would like the site wanting to sign something to load an > iframe/popup/tab with the keys owners url and use e.g. postMessage to > ask for a signature/encryption and the owner site will have to list > keys and ask user for pin etc. I know might this best suites > asymmetric keys and signing (i.e. PKI) but that is our most central > use-case. > > Cheers > //Samuel Erdtman > Product Manager > Technology Nexus AB > > > > On Mon, Oct 15, 2012 at 6:28 PM, Anders Rundgren > <anders.rundgren@telia.com> wrote: >> On 2012-10-15 17:57, David Dahl wrote: >>> >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 10/13/2012 12:08 AM, Anders Rundgren wrote: >>>> http://lists.w3.org/Archives/Public/public-webcrypto/2012Oct/0066.html >>>> >>>> Because this what the plugin folks all over the world actually do, I >>>> concur with Mountie: "The time is NOW". >>>> >>>> There is (as you should know by now) also a proposal for this. It's >>>> incompatible with most vendors' cryptographic platforms but that may be the >>>> price to pay when you want (?) to challenge proprietary one-purpose >>>> solutions with standards. Nobody said it was easy either :-) >>>> >>>> David, since you initiated the "web crypto craze", what's your take on >>>> this? >>> Anders: >>> >>> Are you referring to your proposal? >> >> >> Yes, is there any other concrete proposal? >> >> >>> Is Mountie familiar with it? >> >> >> I haven't received feedback from any WG member. I believe Mountie rather >> expects the WG to address this issue NOW (=ASAP). >> >> >>> >>> As far as supporting certs in the spec, with the low-level API it seems >>> natural to do so, however, this is definitely not a primary issue to resolve >>> in the near term. >> >> >> A primary issue is resolving how you discover and access keys stored in >> existing (often platform-wide) key-stores. >> Without such a solution, the rest is probably of moderate interest to people >> involved in large-scale deployments of OOB-proviosioned keys. >> >> Mountie mentioned some 25M people in Korea, and in Sweden half of the >> population is equipped with certificates for on-line access. >> >> Cheers, >> Anders >> >> >>> >>> Cheers, >>> >>> David >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.11 (GNU/Linux) >>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ >>> >>> iQEcBAEBAgAGBQJQfDJdAAoJEJfYh8Nd7p0f0roH/09CJ+wojUl+U1opzcRJUlCV >>> bRIbpG0TlxADmk16WlcXZqdWAXzE90IXcGqd4rv3dK+KZ5sOWSnaQziyNnjqXFGw >>> KqpiD6u7Jl23HQ+IaePzgELPxbbDRqzFSLVaqaVN341nOGI6vKz4dJGWGk0H1g07 >>> IOsBaAiDN3fZNzndt5bkuZYc7tZ0IGmgcMQMCkpIPwK0lN5FM0ELGwih1LRMvb7Q >>> FsPMs7fWaB2+bSQ5QgNMbJyaP1tdSBANAog/KxYN0Qrjq7nYZ2JcsVhWs1p3q6nz >>> d4/IKf2JHsNjvfaMcgdVE+35uAhQEkjirYPZ73Mij/VaIe3OG1EfzVieaWc3UX8= >>> =fxM6 >>> -----END PGP SIGNATURE----- >>> >> >> >
Received on Tuesday, 16 October 2012 08:56:13 UTC