On Sep 4, 2012, at 15:51, Anders Rundgren <anders.rundg...@telia.com> wrote:
> On 2012-09-04 21:32, Jon Callas wrote: >> On Sep 4, 2012, at 12:57, Anders Rundgren <anders.rundg...@telia.com> wrote: >> >>> On 2012-09-04 18:28, Phillip Hallam-Baker wrote: >>>> I would like to see us 'do' something 'about' client authentication. >>>> >>>> But I don't see much of a client PKI out there to be operated, I think >>>> we are going to have to 'build stuff' to fix it. So I don't think its >>>> a PKI operations issue. >>> >>> http://www.w3.org/2012/webcrypto >> >> This isn't the same thing. JOSE and all of that are doing crypto, and they >> are doing it on the web, but it isn't web PKI, either server side nor client >> side. > > Jon, in Korea there are 25M active certificates for consumers, in Sweden > there are 5M. > These schemes are based on proprietary client software. > One of the targets of WebCrypto is to get rid of this software. > > Here is a private proposal on how this could be done: > > http://webpki.org/papers/PKI/pki-webcrypto.pdf Anders, This is a laudable goal, and indeed something worth solving. It is also something that JOSE addresses. It still isn't what we are talking about here. Repeating my use case, Alice connects to example.com with TLS. The host example.com authenticates to her with its certificate and she authenticates to example.com with hers. At that point, there is a mutually-authenticated TLS connection between them. This is a fine place to start using the webcrypto protocols over that TLS connection for use cases including those in that paper. I hope that what we would do in this working group would be to document edge conditions that the usual PKI documents don't address in using a client certs. I don't expect it to be much more than a few paragraphs, myself, but I'd be willing to lose it for the larger goal. Jon _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops
