Send feedback to public-webcrypto@w3.org (archives), or file a bug (see existing bugs).
Copyright © view W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
This specification describes a JavaScript API for performing certificate management operations in web applications, such as issuing, updating, and revoking a certificate.
the table of contents are defined by Working Group Charter and email comments.
definition of WebIDL will be added after getting consensus for table of contents.
This specification describes a JavaScript API for performing certificate management operations in web applications, such as issuing, updating, and revoking a certificate.
James want to issue a certificate that will be used for online banking.
He visits a physical bank branch and obtains a reference number and authorization code after face to face verification is done by a bank staff. The reference number is used to track certificate enrollment process for multiple days.
He generates a key pair using his user agent at his computer and sends the public key, reference number, authorization code and other parameters to a certificate service provider (www.csp.com).
CSP server signs the public key and user's information with CA's private key to issue a certificate and returns the issued certificate to user agent of James. The issued certificate is stored in the storage of the user agent for later use.
When the issued certificate is going to be expired, he can update his certificate by generating a new key pair for a new certificate. For updating, he does not need to have a reference number and authorization code since he can sign a certificate update message with his private key.
James can revoke his certificate when the related service is no longer needed. The process is similar to certificate update. He signs a certificate revocation message with his private key and send it to CSP server. The return message contains the result of revoking process. CSP server will add the revoked certificate to CRL if the revoking process is successful.
the web certificate api based on the certificate management protocol follows by RFC4210.
this specification focus on user agent side of RFC4210 CMP
Web Certificate API defines the request and response parameters and processed between user agent and CA service providers
The following figure illustrates the operational flow of certificate menagement. The UA always requests one of the certificate management operation to a CA server by sending a request message. CA server then processes the request message and sends the result of oepration in a response message back to the UA. The UA handles the response message to retrieve the status and a certificate if necessary and then it optionally sends a confirmation message to CA server to notify the end of an operation.
KeySpec is used to represent public and private key information
Interface KeySpec {
unsigned int keyLength;
readonly attribute AlgorithmIdentifier keyAlgorithm;
readonly attribute Parameters parameters;
};
keyLength - public key length in bits.
keyAlgorithm - public key algorithm identifier.
parameters - any parameter to operate public key cryptosystem
CertSpec is used to represent a certificate
Interface CertSpec {
readonly attribute DomString issuer;
unsigned int serialNumber;
};
issuer - the relative distinguishied name of the certificate issuer.
serialNumber - serial number to identify a certificate within the range of issued certificates from a particular certificate issuer.
CertContext is the object that will contain a collection of input parameters for cert management operation.
enum ReqType {
// RFC 4210 Certificate Management Protocol.
"cmp",
// PKCS#10 type Certificate signing request.
"pkcs10",
};
Interface CertContext {
readonly attribute ReqType reqType;
readonly attribute DomString refNo;
readonly attribute DomString authCode;
};
reqType - request message type.
refNo - reference number to identify a user to request certificate.
authCode - initial authentication code for origin of message.
CertResult is the object that will contain a return value when the response of cmp is received and processed from a CA Server. This object contains the result of CA operation that is requested by UA.
Interface CertResult {
readonly attribute DOMString status;
readonly attribute CertSpec cert:
};
status - this indicates the result of CA operation requested by UA.
cert - a certificate that is issued or updated by CA server
Cert is the object that requests certificate operation to CA server and handles a response message from the server.
Interface Cert {
DomString genCertIssue (CertContext context, KeySpec key, optional DOMString keyPass);
DomString genCertUpdate (CertContext context, CertSpec cert, optional DOMString keyPass, KeySpec newKey, optional DOMString newKeyPass);
DomString genCertRevoke (CertContext context, DOMString reason, CertSpec cert, optional DOMString keyPass);
CertResult handleResp (DomString respMessage);
DomString genCertConfirm (CertSpec cert, optional DOMString keyPass);
}
this method allows UA to generate certificate request message to CA. A keypair should be generated inside the method. The return value is base64 encoded ASN.1 message.
Input parameters:
Return value:
this method allows UA to renew a certificate to CA. A keypair should be generated inside the method. The return value is base64 encoded ASN.1 message.
Input parameters:
Return value:
this method allows UA to revoke a certificate to CA. This method returns base64 encoded ASN.1 message for certificate revocation.
Input parameters:
Return value:
This method handles a response message sent from CA Server.
Input parameters:
Return value:
This method generates confirmation message required in CMP protocol sending to CA server that confirms certificate operation is successfully finished.
Input parameters:
Return value: