- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 15 Jan 2014 10:48:03 +0100
- To: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Trying to shed some light on this thorny issue... Using HTTPS with CCA (Client Certificate Authentication) you can indeed [in theory] authenticate to _any_ site on the Internet. So why isn't that considered a problem? Because the authentication is performed through _trusted_browser_code_ which also involves the user in the final decision. Issuers know this and trusts the code and (maybe) users for doing the right thing. Using SOP exceptions however, certificates and keys would be available to any site on the Internet (possibly also without user interaction). No serious issuers accept that "their" credentials are directly accessed by arbitrary code on the Internet. It would be link banks sanctioning payment card usage in "fake" payment terminals. That's why some issuers turned to plugins: _to_be_sure_keys_are_only_accessed_by_known_and_trusted_code_. So there is as (I see it...) not really a "Key Ownership" issue, but a genuine security problem. Addressing this through smart GUIs, is IMHO not really useful because _it_still_enables_naive_users_exposing_their_keys_to_arbitrary_web_code_, not to mention the fact that certificate selection becomes quite awkward and error-prone in the [likely] case you have more than certificate. The X.509 domain indicator extension which Samuel Erdtman suggested would limit key access to a _single_site_ (or a set of sites) which IMO could actually work, but this concept has to date not received any support. Anders
Received on Wednesday, 15 January 2014 09:48:36 UTC