RE: WebID, BrowserID and NSTIC from Peter Williams on 2011-07-29 (public-xg-webid@w3.org from July 2011)

From: Peter Williams <home_pw@msn.com>
Date: Fri, 29 Jul 2011 07:53:03 -0700
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-ID: <SNT143-w52718FCAF1A44BC6D8B47B92370@phx.gbl>

> > One difference is that, when you use <KEYGEN>, the browser that
> > requests the certificate does not demonstrate knowledge of the private
> > key, whereas in the proposed NSTIC architecture the certificate is
> > issued by executing an issuance protocol (within the proposed TLS
> > "server-initiated exchange") where the browser does have to
> > demonstrate knowledge of the private key.
http://old.nabble.com/The-%3Ckeygen%3E-element-td22921620.html 
> > Generally speaking, issuing a certificate to a party who may not own
> > the key pair is dangerous.  An attacker could submit to the issuer a
> > public key belonging to a victim, and ask the issuer to sign a bogus
> > certificate binding the public key to attributes chosen for the
> > attacker, e.g. to the attacker's email address.  Then if the attacker
> > can somehow trick the victim into submitting the certificate to a
> > relying party, the relying party may use the email address to send
> > email intended for the victim to the attacker's email address.
 Drivel.

Received on Friday, 29 July 2011 14:53:31 UTC