Re: WebID, BrowserID and NSTIC from Francisco Corella on 2011-07-30 (public-xg-webid@w3.org from July 2011)

From: Francisco Corella <fcorella@pomcor.com>
Date: Sat, 30 Jul 2011 15:13:17 -0700 (PDT)
To: Peter Williams <home_pw@msn.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Cc: Karen Lewison <kplewison@pomcor.com>
Message-ID: <1312063997.79441.YahooMailNeo@web125516.mail.ne1.yahoo.com>

> > > One difference is that, when you use <KEYGEN>, the browser that
> > > requests the certificate does not demonstrate knowledge of the private
> > > key, whereas in the proposed NSTIC architecture the certificate is
> > > issued by executing an issuance protocol (within the proposed TLS
> > > "server-initiated exchange") where the browser does have to
> > > demonstrate knowledge of the private key.
> http://old.nabble.com/The-%3Ckeygen%3E-element-td22921620.html

Oops!  I thought <KEYGEN> just sent the public key to the server.  I
didn't realize it also sends a signature computed with the associated
private key, which demonstrates knowledge of the private key.  So use
of <KEYGEN> is equivalent to the issuance protocol in the proposed
NSTIC architecture.

(For a issuing a credential such as an Idemix anonymous credential or
a U-Prove token, the issuance protocol involves an exchange of several
messages, so something like <KEYGEN> would not work.)

Francisco

Received on Saturday, 30 July 2011 22:13:45 UTC