RE: Follow-up. Re: Use case: Authenticate using eID


In the use case document, for cross-origin use cases, maybe we should describe the limits (or assumptions) of the webcrypto API in dealing with such use cases and the privacy considerations?

The approach of webcrypto API + postMessage :

can solve some of the cross-origin use cases, but not all of them. It works when Origin A generates the key and persists it on the user computer that the UA runs. Then Origin B can ask Origin A to do operations using the key. (How does Origin B specify which key to use?)

This approach does not work when Origin A provisions the key in a smart card without persists anything on the user computer, and Origin B wants to use the key without invoking Origin A. These are typical eID, eHealth, and other smart card use cases.


-----Original Message-----
From: Arun Ranganathan [] 
Sent: Wednesday, May 15, 2013 1:17 PM
To: Mountie Lee
Cc: Richard L. Barnes; Nick Van den Bleeken; Aymeric Vitte; Group
Subject: Re: Follow-up. Re: Use case: Authenticate using eID


Another subtle aspect of this model might be found in the way Origin A, which performs cryptographic operations on behalf of Origin B, interacts with the user:

On May 15, 2013, at 6:27 AM, Mountie Lee wrote:

> Hi.
> visibility has no meaning for blindness.
> iframes can be invisible when it run silently.
> but
> with the view of key ownership,
> we can image some interactions between user and script.
> - showing content for signing.
> - entering passphrase for private key access which is associated with certificate
> - getting user consent for many purposes.

On the web today, OAuth is fairly prevalent, and is used to authenticate users on some sites with well-established identities on other sites.  To take a practical example, the Facebook, Twitter, and LinkedIn identities (authentication credentials like usernames and passwords) often are used to authenticate users on different sites.  I like this model; users understand it.  We can migrate this model over to our world that uses postMessage within the UA (in lieu of the complicated protocol steps of OAuth).

In our world, OriginA might be considered an iDP (identity provider).  OriginB might be considered a relying party.  Sure, OriginB might use an invocation of OriginA through an iframe, but OriginA might solicit user credentials and thus spawn a UI flow.  Origin A can be explicit about what it grants.

"User consent" that follows the model of OAuth (for inspiration about a UI consent model, of course) on the web today is both feasible and desirable.  Accessiblity can thus be subject to all the usual considerations -- business as usual :-)

Also, I agree with your point made in earlier correspondence about differences about "who owns the key" as being philosophical.  It is philosophical, depending on how you think about the origins.  We're essentially building a web of origins, no different than the web that exists right now.  

If you have further questions about this, I'm happy to answer them off-list.  Hopefully when the use case is documented it will also answer your questions.

-- A*

Received on Thursday, 16 May 2013 20:56:10 UTC