On 2012-09-05 15:05, Jon Callas wrote: > > On Sep 4, 2012, at 15:51, Anders Rundgren <anders.rundg...@telia.com> wrote: > >> On 2012-09-04 21:32, Jon Callas wrote: >>> On Sep 4, 2012, at 12:57, Anders Rundgren <anders.rundg...@telia.com> wrote: >>> >>>> On 2012-09-04 18:28, Phillip Hallam-Baker wrote: >>>>> I would like to see us 'do' something 'about' client authentication. >>>>> >>>>> But I don't see much of a client PKI out there to be operated, I think >>>>> we are going to have to 'build stuff' to fix it. So I don't think its >>>>> a PKI operations issue. >>>> >>>> http://www.w3.org/2012/webcrypto >>> >>> This isn't the same thing. JOSE and all of that are doing crypto, and they >>> are doing it on the web, but it isn't web PKI, either server side nor >>> client side. >> >> Jon, in Korea there are 25M active certificates for consumers, in Sweden >> there are 5M. >> These schemes are based on proprietary client software. >> One of the targets of WebCrypto is to get rid of this software. >> >> Here is a private proposal on how this could be done: >> >> http://webpki.org/papers/PKI/pki-webcrypto.pdf > > Anders, > > This is a laudable goal, and indeed something worth solving. > It is also something that JOSE addresses. It still isn't what we are talking > about here.
Pardon my ignorance but I'm not sure then what you mean with client-side PKI. > > Repeating my use case, Alice connects to example.com with TLS. > The host example.com authenticates to her with its certificate > and she authenticates to example.com with hers. At that point, > there is a mutually-authenticated TLS connection between them. > This is a fine place to start using the webcrypto protocols > over that TLS connection for use cases including those in that paper. I don't think this applies to the payment example I outlined. In such scenarios you authenticate the server but not the client. The client rather signs (authorizes) a request. The request may even be rerouted behind the curtain to another party (like your bank), although it (for the user) looks like you actually pay directly to the merchant. > > I hope that what we would do in this working group would be to > document edge conditions that the usual PKI documents don't address > in using a client certs. I have no idea what this could be so I look forward to any kind of documentation. I'm personally trying to get the basics going because currently it doesn't work well at all. Anders I don't expect it to be much more than a few paragraphs, myself, but I'd be willing to lose it for the larger goal. > > Jon > _______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops