W3C home > Mailing lists > Public > www-tag@w3.org > March 2016

Re: What we were using public key authentication for

From: Graham Leggett <minfrin@sharp.fm>
Date: Wed, 30 Mar 2016 18:09:51 +0200
Cc: www-tag@w3.org, timbl@w3.org, Henry Story <henry.story@bblfish.net>, Melvin Carvalho <melvincarvalho@gmail.com>
Message-Id: <E89B7927-BCF4-408C-BEAB-CE394F541AD7@sharp.fm>
To: Dave Longley <dlongley@digitalbazaar.com>
On 30 Mar 2016, at 6:00 PM, Dave Longley <dlongley@digitalbazaar.com> wrote:

> As a quick, temporary replacement for keygen, you should be able to use
> forge (or forge + WebCrypto) to generate a keypair and wrap it in a
> PKCS#12 container that can be downloaded via a link that, when clicked,
> may bring up an import dialog in the user's browser. They may have to
> save the file first before importing, I'm not sure.
> 
> forge: https://github.com/digitalbazaar/forge
> 
> There's some somewhat messy X.509 cert creation and PKCS#12 code that
> could be adapted from this issue:
> 
> https://github.com/digitalbazaar/forge/issues/211#issuecomment-85447100

Does this guarantee that the key was a) generated on the client side only (and not anywhere else and injected into the conversation), and b) that this key cannot be subsequently exported and uploaded to some third party location under the control of third party server code?

If the answer is no to either, then this isn’t a replacement for keygen.

Regards,
Graham
—
Received on Wednesday, 30 March 2016 16:10:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:13 UTC