Re: Additional use cases from Aymeric Vitte on 2013-05-06 (public-webcrypto@w3.org from May 2013)

From: Aymeric Vitte <vitteaymeric@gmail.com>
Date: Tue, 07 May 2013 01:15:07 +0200
To: Lu HongQian Karen <karen.lu@gemalto.com>
CC: Arun Ranganathan <arun@mozilla.com>, "public-webcrypto@w3.org Working Group" <public-webcrypto@w3.org>
Message-ID: <5188397B.7030203@gmail.com>

You can pass keys between origins, see [1], the example is an attack but 
you can do this a friendly way, even if personnaly I find it very ugly, 
and for use case 2 unlikely (not sure to understand the use case but why 
the origin2 printing service should know your key?)

Case 1 is feasible but why everytime here or in other origins 
discussions the secret key should be provisioned online while it's clear 
that it's extremely difficult to secure? Dr Smith could just get his 
private key by email and copy/paste it to provision it while connecting 
to e-prescription the first time (maybe it's unclear but that's what I 
have tried to describe in [2]), no? (and, yes I am sure that Dr Smith 
will make it, we have a soft for medics and they are surprisingly 
extremely performant with computer stuff when they find an interest)

[1] 
http://lists.w3.org/Archives/Public/public-webcrypto-comments/2013Mar/0040.html
[2] https://gist.github.com/Ayms/d21bbab05361bd58c439

Regards,

Le 06/05/2013 18:38, Lu HongQian Karen a écrit :
>
> Hi Arun,
>
> Here are the two use cases that I have talked about at the recent F2F 
> meeting.
>
> Cross-origin use cases:
>
> 1.Asymmetric key use case: A healthcare association (origin 1) issued 
> Dr. Smith an X.509 certificate and the corresponding private key. Dr. 
> Smith accesses an e-prescription service (origin 2) and uses her 
> private key to sign e-prescriptions.
>
> 2.Secret key use case: Danny signed up at a cloud storage (origin 1) 
> that created him a secret access key and persisted it through Danny's 
> UA. Danny stores his 3D model data in the cloud storage. He then uses 
> an online 3D printing service (origin 2) to print his model. To access 
> Danny's model in Origin 1, Origin 2 needs to use Danny's secret key. 
> Danny tells Origin 2 certain attribute(s) of his key. The Origin 2 
> finds the key object through the UA and uses the key to sign API 
> requests for getting the model from cloud storage.
>
> Although these two use cases are out of the current WG scope. It'll be 
> good to collect them for future work.
>
> Regards,
>
> Karen
>

-- 
jCore
Email :  avitte@jcore.fr
iAnonym : http://www.ianonym.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Web :    www.jcore.fr
Webble : www.webble.it
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com

Received on Monday, 6 May 2013 23:12:49 UTC