KoreaWebCryptoUseCase

From W3C Wiki

MOTIVATION

Over 15 million personal certificates are issued and renewed in every year in Korea. But this certificate service has been offered using ActiveX based plugin technology. As a result, Korean people couldn’t choose other browsers not to be supported plugin by bank, shopping and governmental sites. (It’s not only Korea but also many countries with national certificate authority such as European and south American countries too.)

Some of discussions has raised in this topic in WHATWG, HTML w/g and Webapps W/G since 2008.

Korea’s browser monoculture has prevented tech innovations and user’s choice. It was caused by wrong implementation of digital signature by Korean gorvenment’s the law and national PKI system. Its technique has been based on browser plugin as like Active X and Java applet, so it also made many security problems on user’s PC. Nowadays 15 million personal certificates were issued and they are used in e-banking, trading and governmental sites to valid user and transaction in Korea.

Similarly some of European countries also had national PKI system including Denmark, Spain and etc. Denmark’s system was opensourced, but it is also based on browser plugins. It were dominated by VeriSign most of commercial market as like private CA service with issuing personal certificate and transaction with digital signature.

SUMMARY

Korea like to implement to replace plug-in based certificate service to JS based applications running in a browser or other HTML/CSS/JS-based platform between banking and public certificate servers. It may be included TLS session login/logout, key import/export, a common method for accessing and defining properties of keys, and the lifecycle control of credentials such enrollment, selection, and revocation of credentials with a focus enabling the selection of certificates for signing and encryption.

DETAILS


Key Store

This document assumes the availability of key store in the browser or browser framework. A <MyCertificate> saved in “key store” may be not made by domain based personal certificates and can be imported from HTML5 file API, third party application or user's action in browser.

Login/out with Certificate

If an user has own a certificate issued by certificate authority, the user can offer his/her credentials to web sites and get some of authorities by login process.

// In this example, we use the following webcrypto APIs:
function showUserCert()
{
  // select user certificate to login from keystore
  var key = new webcrypto.getUserCert();
  for (i in key)
  {
    // make user interface to choose key for login
  }
}

// If the user choose one key,

function login(keyname) {
  var chosenKey = new webcrypto.viewCertInfo(keyname);
  var response = webcrypto.login(chosenKey);
  if(response.code = 200) login_process()
}

The webcrypto.login generates safe encrypted messages and directly sends to web server for validation and authentification. After that, server responses to client whether user certificate is validated or not.

Transation Security

Each transations by webcrypto based methods should not permit DOM changes by other JS functions to protect integrity of keystore and messages.

Signing messages

The webcrypto.signText method generates digitally signed encrypted messages by selected the user certificate given text strings. When the signText("stringToSign", keyname, signOption) method is invoked, the user agent must run these steps:

  • Let stringToSign be the string that the user want to sign. It can be the string, json or XML format. If stringToSign indicates document ID for specific form, the user agent generates QUERY_STRING variables from form.
  • Keyname must be used in login process or you can let user choose other certificate by showUserCert().

Import and export Keystore

This webcrypto.importKeypair method import a key pair into a keystore from PKCS #12 or PEM bundle file.

  • The user selects the folder where the required PKCS #12 or PEM bundle file is stored and clicks on the required PKCS #12 or PEM bundle file.
  • If the selected file was a PEM bundle containing encrypted private keys, one or more Password for Private Key dialogs will appear, one fore each such key.
  • The method can call directly the native user interface of the browser specific function for importing keypair.

Issue on key protection

In Korean bank cases, each private key is encrypted again with user's pass phase because of multiple key selection by multiple users on a computer. For login in bank site and signing money transaction, user can choose own certificate in multiple of key store and input passphase.

Actually my computer is used my daughter and visitor in my home and we cannot suppose that my computer is only used by myself. If key store is used on financial transations, it must be considered as human factor in real world.

REFERENCES