Re: [KEYPROV] CMS Usage in a Browser Environment
Anders Rundgren <anders.rundgren@telia.com> Wed, 19 January 2011 12:22 UTC
Return-Path: <anders.rundgren@telia.com>
X-Original-To: keyprov@core3.amsl.com
Delivered-To: keyprov@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95C253A710F for <keyprov@core3.amsl.com>; Wed, 19 Jan 2011 04:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.155
X-Spam-Level:
X-Spam-Status: No, score=-3.155 tagged_above=-999 required=5 tests=[AWL=0.444, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IhuFeL8tUREb for <keyprov@core3.amsl.com>; Wed, 19 Jan 2011 04:22:52 -0800 (PST)
Received: from smtp-out21.han.skanova.net (smtp-out21.han.skanova.net [195.67.226.208]) by core3.amsl.com (Postfix) with ESMTP id DFC2428C0EA for <keyprov@ietf.org>; Wed, 19 Jan 2011 04:22:51 -0800 (PST)
Received: from [192.168.0.201] (81.232.45.215) by smtp-out21.han.skanova.net (8.5.133) (authenticated as u36408181) id 4D07517100B63BD8; Wed, 19 Jan 2011 13:25:29 +0100
Message-ID: <4D36D838.1070500@telia.com>
Date: Wed, 19 Jan 2011 13:25:28 +0100
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <3E2A0ABE-05DA-4641-A8A8-BDE967A1D2D9@gmx.net> <4D36CFD3.8030403@telia.com> <92785801-D43A-4BD9-B933-EDD32A1A39A0@gmx.net>
In-Reply-To: <92785801-D43A-4BD9-B933-EDD32A1A39A0@gmx.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: KEYPROV <keyprov@ietf.org>
Subject: Re: [KEYPROV] CMS Usage in a Browser Environment
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jan 2011 12:22:53 -0000
Hannes Tschofenig wrote: > Hi Anders, > > yes, I vaguely recall that discussion. The issue you raise does not > necessarily relate to the cryptographic functionality of CMS but rather > the ability to access a key store from JavaScript. This would be largely > independent of the actual approach for signing. Right? > > While your point is indeed valid the question I have is more along the > lines of implementing the cryptographic mechanisms in JavaScript in > the browser and whether someone had tried to implement CMS there. I see. This is as you say an entirely different issue. People have been doing RSA signatures for a decade in browsers so CMS shouldn't be problem although I haven't any code for that. Since native key store access is a no-no, I guess you are talking about cookies and/or web-db as key stores? Cheers, Anders > > Ciao > Hannes > > On Jan 19, 2011, at 1:49 PM, Anders Rundgren wrote: > >> Hannes Tschofenig wrote: >>> Hi all, I am wondering whether someone has gotten some experience with CMS usage in >> a browser based environment for signing JSON tokens (or other content). >> >> Hi Hannes, >> >> I believe almost every browser is running on a cryptographic platform that >> supports CMS. However, they don't expose this functionality because that >> would be a security problem unless there is a GUI involved where the user >> grants the browser to sign an object including saying which key to use. >> >> This is essentially what I've been ranting about since years back: >> you don't get anywhere unless you start programming browsers or know >> somebody who do. >> >> What the GUI should contain is depending on the underlaying application. >> In WASP (http://webpki.org/papers/wasp/wasp-tutorial.pdf) it is about >> signing a document (request), while in KeyGen2 (http://webpki.org/auth-token-4-the-cloud.html) >> it is about allowing an issuer creating keys. >> >> I have FWIW downloaded Firefox 4 beta code and have managed to compile >> it at least. Since this isn't my day-job I guess the rest will be slow. >> If there is somebody out there who is interested in making browsers more >> capable, just drop me a line :-) >> >> Cheers, >> Anders >> >>> Ciao >>> Hannes >>> PS: I am working with others on a BOF about JSON cryptographic procedures: >>> http://trac.tools.ietf.org/bof/trac/wiki/WikiStart >>> _______________________________________________ >>> KEYPROV mailing list >>> KEYPROV@ietf.org >>> https://www.ietf.org/mailman/listinfo/keyprov >> >> _______________________________________________ >> KEYPROV mailing list >> KEYPROV@ietf.org >> https://www.ietf.org/mailman/listinfo/keyprov > >
- [KEYPROV] CMS Usage in a Browser Environment Hannes Tschofenig
- Re: [KEYPROV] CMS Usage in a Browser Environment Anders Rundgren
- Re: [KEYPROV] CMS Usage in a Browser Environment Hannes Tschofenig
- Re: [KEYPROV] CMS Usage in a Browser Environment Anders Rundgren