[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-pkix
Subject: PKI support in W3C's HTML5
From: "Anders Rundgren" <anders.rundgren () telia ! com>
Date: 2009-08-16 8:13:57
Message-ID: ADFA09505E12436E9474E9BFCE0C3EC0 () AndersPC
[Download RAW message or body]
Yes, I know that PKIX is only targeting ASN.1-based stuff related to =
PKI. However, there may be a few PKIX subscribers out there who have =
interests in things that affect the use of these ASN.1 structures as =
well :-)
W3C has recently adopted WHATWG's HTML5 work which in addition to =
extended content support also incorporates Netscape's <keygen> in the =
plot.
I have since long time back claimed that <keygen> is insufficient since =
it doesn't enable issuers to define:
- anything related to PIN-codes
- anything related to key-strength (it is unilaterally set by the user)
In addition, there is no "algorithm agility" support.
Apparently Microsoft also have doubts about the viability of <keygen>:
http://lists.w3.org/Archives/Public/public-html/2009Aug/0389.html
Is a "<keygen>" facility important? For PCs probably not (smart cards =
are distributed physically), but for mobile phones there is hardly any =
alternative since SIM-cards are constrained by operators, while $200+ =
external card readers probably don't fit on-line banking and similar =
consumer activities:
http://na.blackberry.com/eng/ataglance/security/products/smartcardreader
SD-cards is another possibility but are much more complex to get running =
than schemes based on on-bard storage of credentials because form =
factors vary and there is still no generally accepted interface between =
PKI-cards and operating systems making interoperability a true nightmare =
not to mention the distribution of third-party middleware to consumers.
So what's missing? A "<keygen>" addressing everything from ease-of-use =
to algorithm agility, as well as supporting security-enhancing additions =
to CPUs like TI's "TrustZone" and Intel's "TXT".
Where would such scheme be defined? It appears that there are no =
standards bodies catering for "neutral" mobile phone security solutions; =
they are usually biased towards mobile phone operators, largely ignoring =
the obvious:
"On the Internet anybody can be an operator of something"
Standards (de-facto or real), should of course be designed accordingly.
Note: For enterprises there are as shown some [quite pricy] solutions =
supporting a limited set of platforms; what I'm referring to are the =
more than 3 BILLION consumers equipped with mobile phones. Since the =
mobile phone is quickly becoming our closest link to the Internet, this =
is a pretty interesting area.
The primary hurdle seems to be that in order to succeed, you must go =
outside of traditional standardization boundaries since it is not about =
creating "yet another protocol", it is about providing a complete =
issuer-independent foundation for distributing and managing user-keys, =
which also runs deep into cryptographic platforms which were never =
designed for secure remote operations by consumers neither having =
"Security Officers" nor IT-support at hand!
Thanx,
Anders Rundgren
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18813">
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV><FONT size=2 face=Arial>Yes, I know that PKIX is only targeting ASN.1-based
stuff related to PKI. However, there may be a few PKIX subscribers out
there who have interests in things that affect the use of these ASN.1 structures
as well :-)<BR><BR>W3C has recently adopted WHATWG's HTML5 work which in
addition to extended content support also incorporates Netscape's <keygen>
in the plot.<BR><BR>I have since long time back claimed that <keygen> is
insufficient since it doesn't enable issuers to define:<BR><BR>- anything
related to PIN-codes<BR>- anything related to key-strength (it is unilaterally
set by the user)<BR><BR>In addition, there is no "algorithm agility"
support.<BR><BR>Apparently Microsoft also have doubts about the viability of
<keygen>:<BR></FONT><A
href="http://lists.w3.org/Archives/Public/public-html/2009Aug/0389.html"><FONT
size=2
face=Arial>http://lists.w3.org/Archives/Public/public-html/2009Aug/0389.html</FONT></A><BR><BR><FONT
size=2 face=Arial>Is a "<keygen>" facility important? For PCs
probably not (smart cards are distributed <EM>physically</EM>), but for mobile
phones there is hardly any alternative since SIM-cards are constrained by
operators, while $200+ external card readers probably don't fit on-line banking
and similar consumer activities:<BR></FONT><A
href="http://na.blackberry.com/eng/ataglance/security/products/smartcardreader"><FONT
size=2
face=Arial>http://na.blackberry.com/eng/ataglance/security/products/smartcardreader</FONT></A><BR><FONT
size=2 face=Arial>SD-cards is another possibility but are much more complex to
get running than schemes based on on-bard storage of credentials because form
factors vary and there is still no generally accepted interface between
PKI-cards and operating systems making interoperability a true nightmare not to
mention the distribution of third-party middleware to consumers.<BR><BR>So
what's missing? A "<keygen>" addressing everything from ease-of-use
to algorithm agility, as well as supporting security-enhancing additions to CPUs
</FONT><FONT size=2 face=Arial>like TI's "TrustZone" and Intel's
"TXT".<BR><BR>Where would such scheme be defined? It appears that there
are no standards bodies catering for "neutral" mobile phone security solutions;
they are usually biased towards mobile phone operators, largely ignoring the
obvious:<BR><BR><EM> "On the Internet anybody can be an operator of
something"<BR></EM><BR>Standards (de-facto or real), should of course be
designed accordingly.<BR><BR>Note: For enterprises there are as shown some
[quite pricy] solutions </FONT><FONT size=2 face=Arial>supporting a limited set
of platforms; what I'm referring to are the more than </FONT><FONT size=2
face=Arial>3 BILLION consumers equipped with mobile phones. Since the
mobile phone </FONT><FONT size=2 face=Arial>is quickly becoming our closest
link to the Internet, this is a pretty interesting area.</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>The primary hurdle seems to be that in order to
succeed, you must go </FONT><FONT size=2 face=Arial>outside of traditional
standardization boundaries since it is not about creating </FONT><FONT size=2
face=Arial>"yet another protocol", it is about providing a complete
<EM>issuer-independent </EM></FONT><FONT size=2 face=Arial><EM>foundation for
distributing and managing user-keys</EM>, which also runs deep into
</FONT><FONT size=2 face=Arial>cryptographic platforms which were never designed
for secure remote operations </FONT><FONT size=2 face=Arial>by consumers neither
having "Security Officers" nor IT-support at hand!</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>Thanx,<BR>Anders
Rundgren</FONT></DIV></BODY></HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic