- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Sat, 13 Jul 2013 15:23:59 +0200
- To: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Hi All, WebAuth is something I started years ago with the aim creating a replacement for TLS CCA (Client Certificate Authentication), since the latter has numerous of short-comings (at least when used in a browser), that appears to be unresolvable; there's not even a logout function. WebAuth is essentially a "compilation" of dozens of similar schemes used in Europe. Because WebAuth wasn't conceived yesterday it is shrouded in XML rather than JSON: https://code.google.com/p/openkeystore/source/browse/library/trunk/src/org/webpki/wasp/webauth.xsd Could WebCrypto do the same things as WebAuth? Currently not, but it might in the future. I'm personally leaning towards keeping a TLS CCA plugin-replacement because it is such a major use-case. You may find WebAuth when using QR code as challenge/URL-trigger a bit fun as a PKI-based counterpart to traditional OTP tokens. I call it "QR ID". It shares the phishing issue with OTP but not the awkwardness and limited entropy. WebAuth is only a very small part of the PoC system downloadable from: https://play.google.com/store/apps/details?id=org.webpki.mobile.android The demo-site's enrollment process which "clones" your Google account ID and depends on a device ID for pre-authorization, is just one of many ways provisioning the platform. Anders
Received on Saturday, 13 July 2013 13:24:36 UTC