William L. Hartzell wrote: <snip> >I assume that you been following IETF RFC on the Crypto subject. They >just released a series of RFC on management of keys.
I have not heard of this before unless you are talking about TAM, TAMP or KEYPROV. None of these efforts have any relevance for the subject in question since they do not address browsers. Browsers have IMHO been excluded from innovation in this space since Netscape Navigator 4.0 with one notable exception: Microsoft Information Cards. >As you know, keys >are used in all layers of the OSI ref. stack in some form of security >protocol. I think we should follow the IETF lead and implement those >concepts that fit within SASL or TSL or MINE, etc., The application >layer stuff as defined by IETF. I'm not sure what you are referring to here. >There is no point in trying to be universal, because that is impossible. This is an interesting subject. The problem is that "universal" means very different things to different people. One thing is for sure, browsers represent a truly universal application. My contribution to this universal application is a multi-issuer, universal method for distributing and managing cryptographic keys for end-users. I'm not aware of anything similar since standardization efforts for *consumers* doesn't work since there is no "paying customer" and associated software licenses. >Also note the Trusted Computing Platform work. I'm a former member of TCG and the stuff I'm working on is nothing but a soaped-up version of the TCG work although I have taken the liberty of separating key storage and platform integrity measurements because I feel that these are better run as separate projects. >At present, no operating system is FIPS140-2 level two >or better without some hardware support. Where do you wish to take >this? Note I am not a programmer, just a lurker. At present those >crypto USB keys are used in a Kerberos corporate environment to id <individuals. That is as far as I would extend their use (but then one >is more likely to find Trusted Computing Modules on Corporate machines >where the decrypting key would be a local corporate key embedded in >TCM). Speaking of Kerberos, do you know if GSS-API in Mozilla has been >extended to support channel bindings, if supported in Ipsec? So you >say, where does this fit into WEB signing? You cannot sign web sites >without keys and some way to check them securely (that the management <part). You know In my mind, I equate Kerberos with authentication of >individuals, SASL with authentication of applications or users (roles >aspect), TSL with authentication of servers (running code, not >machines), and IPsec with authentication of hardware (machines). Ipsec >is outside Mozilla code responsibility (other than checking channel >bindings). Here you lost me. >So what is this WEB signing? And where does this fit in the >scheme of things? NOTE Oasis and IETF are working together on common >issues. Does HTML5 cover any of the issues you'd like to see covered? There are no "real" standardization efforts whatsoever that addresses the stuff that I and Martin Paljak have brought up on this list. There are plenty of national and proprietary schemes that tries to upgrade browsers to the level needed for on-line banking and e-government activities using client-side PKI. There is also no natural home for these issues since Mozilla, Apple, Google and Microsoft haven't heard about such requirements which is due to the fact that two-factor-authentication on the US consumer market is close to zero. In fact, in the Information Card forum which I'm member of, the US participants always say that "people hate tokens"; completely ignoring that tokens are more or less a standard utility in the EU, be it mostly of the OTP kind. Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
