W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

RE: WebID, BrowserID and NSTIC

From: Peter Williams <home_pw@msn.com>
Date: Fri, 29 Jul 2011 07:53:03 -0700
Message-ID: <SNT143-w52718FCAF1A44BC6D8B47B92370@phx.gbl>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>

> > One difference is that, when you use <KEYGEN>, the browser that
> > requests the certificate does not demonstrate knowledge of the private
> > key, whereas in the proposed NSTIC architecture the certificate is
> > issued by executing an issuance protocol (within the proposed TLS
> > "server-initiated exchange") where the browser does have to
> > demonstrate knowledge of the private key.
> > Generally speaking, issuing a certificate to a party who may not own
> > the key pair is dangerous.  An attacker could submit to the issuer a
> > public key belonging to a victim, and ask the issuer to sign a bogus
> > certificate binding the public key to attributes chosen for the
> > attacker, e.g. to the attacker's email address.  Then if the attacker
> > can somehow trick the victim into submitting the certificate to a
> > relying party, the relying party may use the email address to send
> > email intended for the victim to the attacker's email address.
Received on Friday, 29 July 2011 14:53:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:46 UTC