Sir:
Anders Rundgren wrote:
Nelson B Bolyard Wrote.
This demonstrates that standardization is an option but an increasingly
difficult option as well in an ever faster-moving world:
http://www.w3.org/2009/06/xhtml-faq.html
Does it?
It appears to me that this is the standards body pruning the tree of
html offshoots, recognizing a single standard for the "XML serialization
of HTML".
That's correct. But as I have understood it, HTML5 came from the "outside"
through WHATWG and effectively killed W3C's "internal" (X)HTML effort.
Now, I seem to recall that one of your complaints about the
world of crypto is the lack of standardization of methods (e.g. scripting)
for certain functions.
Well, I primarily of question the *huge* investments that are done by EU banks
and Governments for replacing or enhancing the client-side PKI implementation of
current browsers with proprietary stuff. Technically they had no real option
though.
I had naively hoped that for example Mozilla would be interested in getting
some of
this money in exchange for spearheading work in this space. Having a platform
that
runs on most computers makes Firefox an excellent "vehicle" for such
developments!
Unfortunately, In spite of big efforts (papers, conferences, and a gazillion of
e-mails), I have to date not found a single person within Microsoft or the
Mozilla community who are interested in the more architectural aspects of
secure on-line banking and e-government services for the web.
Anyway, I started 2003 with the idea that I should try to standardize "web
signing"
but I have swapped "standardization" for Open Source. Lately I've found a much
more important area than signing and that is key provisioning and management.
This is truly virgin territory! The current work spans from soft certificates
in browsers,
to hardware-protected keys in mobile phones. In addition, there is a new
token architecture that by adding $1-$2 to the list-price of USB memory stick
will enable consumers to have a mobile "key.db" making their PIV/CAC/eID
cards appear quite limited (like addressing 5% of your Internet auth needs).
That for example Microsoft launched their pretty nice Information Card scheme
as running code + spec + support to Open Source and waited more than two
years with a formal OASIS TC is an indication that I'm not alone in believing
that introducing *radically new* things the old way has simply run out of gas.
Happy 4:th wishes
Anders Rundgren
Reasonably good engineer, lousy salesman
I assume that you been following IETF RFC on the Crypto subject. They
just released a series of RFC on management of keys. As you know, keys
are used in all layers of the OSI ref. stack in some form of security
protocol. I think we should follow the IETF lead and implement those
concepts that fit within SASL or TSL or MINE, etc., The application
layer stuff as defined by IETF. There is no point in trying to be
universal, because that is impossible. Also note the Trusted Computing
Platform work. At present, no operating system is FIPS140-2 level two
or better without some hardware support. Where do you wish to take
this? Note I am not a programmer, just a lurker. At present those
crypto USB keys are used in a Kerberos corporate environment to id
individuals. That is as far as I would extend their use (but then one
is more likely to find Trusted Computing Modules on Corporate machines
where the decrypting key would be a local corporate key embedded in
TCM). Speaking of Kerberos, do you know if GSS-API in Mozilla has been
extended to support channel bindings, if supported in Ipsec? So you
say, where does this fit into WEB signing? You cannot sign web sites
without keys and some way to check them securely (that the management
part). You know In my mind, I equate Kerberos with authentication of
individuals, SASL with authentication of applications or users (roles
aspect), TSL with authentication of servers (running code, not
machines), and IPsec with authentication of hardware (machines). Ipsec
is outside Mozilla code responsibility (other than checking channel
bindings). So what is this WEB signing? And where does this fit in the
scheme of things? NOTE Oasis and IETF are working together on common
issues. Does HTML5 cover any of the issues you'd like to see covered?
--
Bill
<Thanks, a Million>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
