Re: WebID, BrowserID and NSTIC

> > > One difference is that, when you use <KEYGEN>, the browser that
> > > requests the certificate does not demonstrate knowledge of the private
> > > key, whereas in the proposed NSTIC architecture the certificate is
> > > issued by executing an issuance protocol (within the proposed TLS
> > > "server-initiated exchange") where the browser does have to
> > > demonstrate knowledge of the private key.
> http://old.nabble.com/The-%3Ckeygen%3E-element-td22921620.html

Oops!  I thought <KEYGEN> just sent the public key to the server.  I
didn't realize it also sends a signature computed with the associated
private key, which demonstrates knowledge of the private key.  So use
of <KEYGEN> is equivalent to the issuance protocol in the proposed
NSTIC architecture.

(For a issuing a credential such as an Idemix anonymous credential or
a U-Prove token, the issuance protocol involves an exchange of several
messages, so something like <KEYGEN> would not work.)

Francisco

Received on Saturday, 30 July 2011 22:13:45 UTC