Re: Proposed API Extension for X.509 Certificates and Smart Cards

I have not heard from a single participant with experience in smart cards
or desiring smart cards who would desire to see all issued certificates
re-issued to support the scheme.

It also fails to take into the serious security considerations that would
exist if a certificate was provisioned for example.com, but then the
certificate issuer lost control over example.com.

While you're correct that a proposal is a proposal, I think your time would
be better served - as would those who are interested in CMP and more
complex KMS - to first draft a set of problem statements and reach
consensus on the problems that you're trying to solve, rather than
continually approaching the WG with proposals that you believe solve your
problem, but do not do so in a clear and direct way.


On Wed, Feb 12, 2014 at 1:33 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> Ladies and Gentlemen,
>
> A year ago I submitted a pretty complex proposal for adding X.509 and
> smart card capabilities
> to WebCrypto based on a "bridging" scheme.  Approximately the same time a
> fellow developer
> in this field Samuel Erdtman of NexusSafe suggested a much simpler way
> forward, albeit still
> building on a bridge concept.
>
> Following the golden rule that "less is more" I have with Samuel's
> permission merged a
> minor portion of my API ideas with his concept:
>
> http://webpki.org/papers/PKI/x509-webcrypto-extension-scheme.pdf
>
> Enjoy!
>
> Anders Rundgren
>
>

Received on Wednesday, 12 February 2014 23:15:54 UTC