Re: The actual problem. Re: Certificates from Anders Rundgren on 2013-03-19 (public-webcrypto-comments@w3.org from March 2013)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Tue, 19 Mar 2013 06:27:30 +0100
To: Mountie Lee <mountie.lee@mw2.or.kr>
CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <5147F742.8030806@telia.com>

On 2013-03-18 07:41, Mountie Lee wrote:
> Hi.
> 
> current WebCrypto Charter (http://www.w3.org/2011/11/webcryptography-charter.html) describe the secondary features in Scope chapter.
> I  think
> Client TLS Certificate can be included in "control of TLS session login/logout" 
> I don't think TLS means not just for server cert only.
> but it means for server only or server and client certs both.

Pardon me Mountie, but I still haven't a clue regarding what _you_ are requesting
or expecting in terms of certificate support.

The only _concrete_proposal_ I have seen that could work without disrupting the entire
platform (which I feel is needed...), was from my "competitor-college" Samuel Erdtman
who suggested that an X.509 extension holding a domain could be used as a "bridge"
between Web Crypto and certificates stored in the traditional way.  Simple and clever.

Anders

> 
> regards
> mountie.
> 
> 
> 
> On Mon, Mar 18, 2013 at 2:12 PM, Anders Rundgren <anders.rundgren@telia.com <mailto:anders.rundgren@telia.com>> wrote:
> 
>     On 2013-03-17 21:02, Jeffrey Walton wrote:
>     > On Sat, Mar 16, 2013 at 2:30 AM, Anders Rundgren
>     > <anders.rundgren@telia.com <mailto:anders.rundgren@telia.com>> wrote:
>     >> I don't claim to have full insight in anything but one thing I do know: client-certificates are usually referred to in the same context as _secure_key-storage_ but the latter reached a complete standstill more than a _decade_ ago.
>     >>
>     > The problem appears to be usability, which might explain the
>     > standstill. See, for example, the recent discussion "Client TLS
>     > Certificates - why not?",
>     > http://lists.randombit.net/pipermail/cryptography/2013-March/003946.html:
>     >
>     >     Can anyone enlighten me why client TLS
>     >     certificates are used so rarely? It used to
>     >     be a hassle in the past, but now at least
>     >     the major browsers offer quite decent client
>     >     cert support, and seeing how most people
>     >     struggle with passwords, I don't see why
>     >     client certs could not be beneficial even
>     >     to "ordinary users".
>     >
>     > The threaded view is available at
>     > http://lists.randombit.net/pipermail/cryptography/2013-March/thread.html.
> 
>     This discussion missed the initial pain-point, how to provision a certificate.
> 
>     By the actually pretty large communities of client-certificate-users out there,
>     this has usually been solved by deploying proprietary software since for example
>     Windows doesn't have this functionality, which according to my contacts in Redmond,
>     is "By Design": "There's no business case for consumer authentication using PKI".
> 
>     Anders
> 
>     >
>     > Jeff
>     >
>     >
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Mountie Lee
> 
> PayGate
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net <mailto:mountie@paygate.net>
> 
> =======================================
> PayGate Inc.
> THE STANDARD FOR ONLINE PAYMENT
> for Korea, Japan, China, and the World
> 
> 
> 
>

Received on Tuesday, 19 March 2013 05:28:04 UTC