- From: Á¶»ó·¡ <sangrae@etri.re.kr>
- Date: Tue, 9 Jul 2013 00:30:44 +0000
- To: GALINDO Virginie <Virginie.GALINDO@gemalto.com>, "Web Cryptography Working Group (public-webcrypto@w3.org)" <public-webcrypto@w3.org>, Mountie Lee <mountie@paygate.net>
- CC: Áø½ÂÇå <jinsh@etri.re.kr>
- Message-ID: <2C9D74CFB4E39C4AB170D5AAB41B21D95A665164@SMTP3.etri.info>
Dear Virginie, I am fine with your agenda and date for web certificate. For the next 2 weeks, I will try to update Web Certificate API and use cases. Regards Sangrae Cho =========================================================== Sangrae Cho Authentication Research Team ETRI (Electronics and Telecommunications Research Institute) 218 Gajeongro, Yuseong-Gu, Daejeon, 305-700, KOREA Phone : +82-42-860-6939 Fax : +82-42-860-1471 =========================================================== From: GALINDO Virginie [mailto:Virginie.GALINDO@gemalto.com] Sent: Tuesday, July 09, 2013 12:31 AM To: Á¶»ó·¡; Web Cryptography Working Group (public-webcrypto@w3.org); Mountie Lee Subject: W3C Web Crypto WG - Web Certificate API review Hi all, As we suggested during our F2F meeting, and now that our core APIs are on their way for PWD, I suggest that we review the Web Certificate API during our call in 2 weeks : on the 22nd of July @ 20:00 UTC. Sangrae, Mountie, would that date fit with your respective agenda ? Regards, Virginie From: Á¶»ó·¡ [mailto:sangrae@etri.re.kr] Sent: vendredi 5 juillet 2013 10:02 To: Web Cryptography Working Group (public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>) Subject: Possible solution for same origin policy problem in Web Certificate API Hi all, I presented draft Web Certificate API in April F2F meeting and there were many questions about same origin policy problem in WebCert. The following is a possible solution for same origin problem in WebCert to consider. PKI operates based on the concept of a circle of trust or trust domain with a Trusted Third Party. When a browser sends a digitally signed document to a web server, the server can verify the signature using a certificate sent from the browser. This can only be possible when two entities trust a CA server that issued the certificate. In this case, if the web server and CA server operates in the same domain, then PKI works fine under same origin policy (SOP). Otherwise it will not work unless cross origin policy (COP) is permitted. We can find an example how PKI used in the web environment without SOP. In SSL client authentication, a web server can send a trusted CA list to a web browser to indicate which certificate can be used for client authentication. This means that TLS/SSL protocol works in the absence of same origin policy. From this example, I think that the SOP and COP can co-exist in a single web browser as follows. The Korean banking use case indicates that a user gets a certificate issued by a CA server and uses it to a bank for digital signature. The URL of two websites, CA server and bank, is totally different. So cross origin policy is strongly required to support for this use case. As it is used in SSL case, if a server sends no trusted CA list to a web browser, the same origin policy governs to access to a stored certificate and the key belongs to the origin server. On the other hands, if the server sends a trusted CA list, COP governs and the web browser can access any certificate that is issued by trusted CAs and in this case the key belongs to a user and the proof of the ownership is done by decrypting the encrypted private key. With respect to WebCrypto API, public key can be used under same origin policy. This is ok since public key algorithm can be only used between two entities without involving CA server to issue a certificate. However, Web Certificate API cannot work under SOP because it is operated based on PKI which requires a Trusted Third Party to issue and manage a certificate. I hope that the group reconsiders the suggested solution for same origin policy problem in WebCert. Regards Sangrae Cho =========================================================== Sangrae Cho Authentication Research Team ETRI (Electronics and Telecommunications Research Institute) 218 Gajeongro, Yuseong-Gu, Daejeon, 305-700, KOREA Phone : +82-42-860-6939 Fax : +82-42-860-1471 ===========================================================
Received on Tuesday, 9 July 2013 00:31:17 UTC