Re: crypto-ISSUE-15: Discovering certificates associated with (private) keys

Hi

Since I´m not yet a member of the group ill send some thoughts here.

First It would be very useful to address certificates and there
attributes since it is used everywhere in our use-cases (Technology
Nexus) we do not handle keys without certificates. Therefor I think
that certificates even though it is a secondary use-case in the
charter should be addressed if possible.

I have looked at Anders proposal and it could be one part of solving
our use-cases. However I would like to describe an alternative
solution that solves the same part of the problem but from a slightly
different angle.

I would like to have keys bound to origins (lets not open the
Pandora's box of breaking same origin policy). I would also like keys
that is per-provisoned to be tagged with a domain possible with
several domains and wildcards for sub-domains. One solution for
tagging keys could be a certificate attribute. By this solution
specific domains could list all keys that they own in a way that is
consistent with the rest of the there GUI i.e. not like client-SSL
works today. To handle the obvious need for cross origin signing I
would like the site wanting to sign something to load an
iframe/popup/tab with the keys owners url and use e.g. postMessage to
ask for a signature/encryption and the owner site will have to list
keys and ask user for pin etc. I know might this best suites
asymmetric keys and signing (i.e. PKI) but that is our most central
use-case.

Cheers
//Samuel Erdtman
Product Manager
Technology Nexus AB



On Mon, Oct 15, 2012 at 6:28 PM, Anders Rundgren
<anders.rundgren@telia.com> wrote:
> On 2012-10-15 17:57, David Dahl wrote:
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 10/13/2012 12:08 AM, Anders Rundgren wrote:
>> >http://lists.w3.org/Archives/Public/public-webcrypto/2012Oct/0066.html
>> >
>> > Because this what the plugin folks all over the world actually do, I
>> > concur with Mountie: "The time is NOW".
>> >
>> > There is (as you should know by now) also a proposal for this. It's
>> > incompatible with most vendors' cryptographic platforms but that may be the
>> > price to pay when you want (?) to challenge proprietary one-purpose
>> > solutions with standards. Nobody said it was easy either :-)
>> >
>> > David, since you initiated the "web crypto craze", what's your take on
>> > this?
>> Anders:
>>
>> Are you referring to your proposal?
>
>
> Yes, is there any other concrete proposal?
>
>
>> Is Mountie familiar with it?
>
>
> I haven't received feedback from any WG member.  I believe Mountie rather
> expects the WG to address this issue NOW (=ASAP).
>
>
>>
>> As far as supporting certs in the spec, with the low-level API it seems
>> natural to do so, however, this is definitely not a primary issue to resolve
>> in the near term.
>
>
> A primary issue is resolving how you discover and access keys stored in
> existing (often platform-wide) key-stores.
> Without such a solution, the rest is probably of moderate interest to people
> involved in large-scale deployments of OOB-proviosioned keys.
>
> Mountie mentioned some 25M people in Korea, and in Sweden half of the
> population is equipped with certificates for on-line access.
>
> Cheers,
> Anders
>
>
>>
>> Cheers,
>>
>> David
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>>
>> iQEcBAEBAgAGBQJQfDJdAAoJEJfYh8Nd7p0f0roH/09CJ+wojUl+U1opzcRJUlCV
>> bRIbpG0TlxADmk16WlcXZqdWAXzE90IXcGqd4rv3dK+KZ5sOWSnaQziyNnjqXFGw
>> KqpiD6u7Jl23HQ+IaePzgELPxbbDRqzFSLVaqaVN341nOGI6vKz4dJGWGk0H1g07
>> IOsBaAiDN3fZNzndt5bkuZYc7tZ0IGmgcMQMCkpIPwK0lN5FM0ELGwih1LRMvb7Q
>> FsPMs7fWaB2+bSQ5QgNMbJyaP1tdSBANAog/KxYN0Qrjq7nYZ2JcsVhWs1p3q6nz
>> d4/IKf2JHsNjvfaMcgdVE+35uAhQEkjirYPZ73Mij/VaIe3OG1EfzVieaWc3UX8=
>> =fxM6
>> -----END PGP SIGNATURE-----
>>
>
>

Received on Tuesday, 16 October 2012 13:39:52 UTC