Re: Proposed API Extension for X.509 Certificates and Smart Cards from Ryan Sleevi on 2014-02-13 (public-webcrypto-comments@w3.org from February 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Wed, 12 Feb 2014 22:49:12 -0800
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Harry Halpin <hhalpin@w3.org>, GALINDO Virginie <virginie.galindo@gemalto.com>, Samuel Erdtman <samuel@erdtman.se>
Message-ID: <CACvaWvY=Nt8fA-mmEHvzS+tj5MrRvp0jJJmx3W01T+HH3VBUNg@mail.gmail.com>

On Wed, Feb 12, 2014 at 10:03 PM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2014-02-13 00:15, Ryan Sleevi wrote:
> > I have not heard from a single participant with experience in smart
> cards or desiring smart cards who would desire to see all issued
> certificates re-issued to support the scheme.
> >
> > It also fails to take into the serious security considerations that
> would exist if a certificate was provisioned for example.com <
> http://example.com>, but then the certificate issuer lost control over
> example.com <http://example.com>.
> >
> > While you're correct that a proposal is a proposal, I think your time
> would be better served - as would those who are interested in CMP and more
> complex KMS - to first draft a set of problem statements and reach
> consensus on the problems that you're trying to solve, rather than
> continually approaching the WG with proposals that you believe solve your
> problem, but do not do so in a clear and direct way.
>
> Dear Ryan,
>
> Proposals tend to have pros and cons.  You have clearly identified a
> couple of weaknesses in the plot.
>
> I'm cool with that.  Now I look forward seeing the *other* proposals that
> Virginie have indicated is in the workings.
>
> Regarding the use-case, it's pretty straightforward:
>
>                       "Blending traditional PKI (including how it is
> packaged and distributed), with WebCrypto."
>
> Cheers,
> Anders
>

Anders,

While I appreciate you taking the time to reply, I fear that the amount of
time people will spend reviewing and considering your proposal should and
will be limited to the amount of time you spent drafting a problem
statement and use cases.

I'm sure with your expertise you can certainly provide a more meaningful
set of problems, along with a demonstration of how they can only be solved
with your proposed integration, and which cannot be addressed by the
existing solution. Stating "Because we want it" or "because that's how we
do things" is not a productive contribution to a meaningful discussion.

Again, it's more useful for the WG if you can share the set of problems
you're wishing to solve, rather than presenting specific solutions that you
believe will solve them.

All the best,
Ryan


>
> >
> >
> > On Wed, Feb 12, 2014 at 1:33 PM, Anders Rundgren <
> anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>
> wrote:
> >
> >     Ladies and Gentlemen,
> >
> >     A year ago I submitted a pretty complex proposal for adding X.509
> and smart card capabilities
> >     to WebCrypto based on a "bridging" scheme.  Approximately the same
> time a fellow developer
> >     in this field Samuel Erdtman of NexusSafe suggested a much simpler
> way forward, albeit still
> >     building on a bridge concept.
> >
> >     Following the golden rule that "less is more" I have with Samuel's
> permission merged a
> >     minor portion of my API ideas with his concept:
> >
> >     http://webpki.org/papers/PKI/x509-webcrypto-extension-scheme.pdf
> >
> >     Enjoy!
> >
> >     Anders Rundgren
> >
> >
>
>

Received on Thursday, 13 February 2014 06:49:39 UTC