ISSUE-15: Discovering certificates associated with (private) keys

Discovering certificates associated with (private) keys

State:
POSTPONED
Product:
next for Web Crypto API
Raised by:
Ryan Sleevi
Opened on:
2012-08-06
Description:
During the July Face-to-Face, one attribute that was desired to be associated with the Key object was if the user has any associated certificates for that key.

For operations involving digital signatures, it's highly desirable to be able to produce both a signature and embed an associated certificate. See, for example, S-MIME.

However, exposing certificates opens a host of implementation and privacy concerns:
- Certificates associated with Keys may be transient (for example, backed on temporary storage). Should discovery be static (ie: as an attribute of the Key) or dynamic (ie: as a method on the Key)
- What is the form that certificates should take? Does this API require specifying an X.509v3 API as well? ASN.1 -> WebIDL representation?
- What are the privacy risks associated with exposing certificates to an application? Some pre-provisioned certificates may contain personally identifying information, and thus user consent may be desired before granting access to the certificate.
- Additionally, if the application can construct (temporary/ephemeral) public keys, and then execute certificate discovery on those key, they might be able to discover sensitive information about the user, without requiring access to the key handle itself.
- If key handles can be shared between origins (either at the application's discretion during key generation or based on some form of user assent/input), do certificates represent a way to smuggle information between origins, using application/x-x509-user-cert to deliver cert payloads?
Related Actions Items:
No related actions
Related emails:
  1. W3C Web Crypto WG - classifying issues (from Virginie.GALINDO@gemalto.com on 2013-02-18)
  2. PROPOSAL: CLOSE ISSUE-40: How should we define key discovery, noting asynchronicity (from Virginie.GALINDO@gemalto.com on 2013-02-11)
  3. Re: PROPOSAL: Move ISSUE-40: How should we define key discovery, noting asynchronicity ( was Re: W3C Web Crypto WG - classifying issues ) (from watsonm@netflix.com on 2013-02-11)
  4. Re: W3C Web Crypto WG - classifying issues (from sleevi@google.com on 2013-02-07)
  5. Re: PROPOSAL: Move ISSUE-40: How should we define key discovery, noting asynchronicity ( was Re: W3C Web Crypto WG - classifying issues ) (from sleevi@google.com on 2013-02-07)
  6. Re: PROPOSAL: Move Issue-25: How do we provision a globally unique ID (was Re: W3C Web Crypto WG - classifying issues) (from sleevi@google.com on 2013-02-07)
  7. Re: PROPOSAL: Close ISSUE-15: Discovering certificates associated with (private) keys (from sleevi@google.com on 2013-02-07)
  8. PROPOSAL: ??? ISSUE-24: Defining a synchronous API (was Re: W3C Web Crypto WG - classifying issues) (from sleevi@google.com on 2013-02-07)
  9. PROPOSAL: Move Issue-25: How do we provision a globally unique ID (was Re: W3C Web Crypto WG - classifying issues) (from sleevi@google.com on 2013-02-07)
  10. PROPOSAL: Postpone ISSUE-26: Should key generation be allowed to specify multi-origin access (was Re: W3C Web Crypto WG - classifying issues) (from sleevi@google.com on 2013-02-07)
  11. PROPOSAL: Move ISSUE-30: How does the application know where the key is stored? (was Re: W3C Web Crypto WG - classifying issues) (from sleevi@google.com on 2013-02-07)
  12. PROPOSAL: Postpone ISSUE-34: Representation of Certificates (was Re: W3C Web Crypto WG - classifying issues) (from sleevi@google.com on 2013-02-07)
  13. PROPOSAL: Move ISSUE-40: How should we define key discovery, noting asynchronicity ( was Re: W3C Web Crypto WG - classifying issues ) (from sleevi@google.com on 2013-02-07)
  14. W3C Web Crypto WG - classifying issues (from Virginie.GALINDO@gemalto.com on 2013-02-07)
  15. Re: W3C Web Crypto WG - agenda for our call today @ 20:00 UTC (from watsonm@netflix.com on 2013-02-04)
  16. RE: W3C Web Crypto WG - agenda for our call today @ 20:00 UTC (from Asad.Ali@gemalto.com on 2013-02-04)
  17. Re: W3C Web Crypto WG - agenda for our call today @ 20:00 UTC (from S.Durbha@cablelabs.com on 2013-02-04)
  18. W3C Web Crypto WG - agenda for our call today @ 20:00 UTC (from Virginie.GALINDO@gemalto.com on 2013-02-04)
  19. PROPOSAL: Close ISSUE-34 - Representation of certificates (from sleevi@google.com on 2013-01-31)
  20. PROPOSAL: Close ISSUE-15: Discovering certificates associated with (private) keys (from sleevi@google.com on 2013-01-31)
  21. W3C Web Crypto WG - agenda for 22nd of october call - today (from Virginie.GALINDO@gemalto.com on 2012-10-22)
  22. RE: W3C Web Crypto WG - agenda for 15th of october call - today (from Vijay.Bharadwaj@microsoft.com on 2012-10-15)
  23. RE: W3C Web Crypto WG - agenda for 15th of october call - today (from Asad.Ali@gemalto.com on 2012-10-15)
  24. Re: W3C Web Crypto WG - agenda for 15th of october call - today (from rbarnes@bbn.com on 2012-10-15)
  25. Re: W3C Web Crypto WG - agenda for 15th of october call - today (from S.Durbha@cablelabs.com on 2012-10-15)
  26. Re: W3C Web Crypto WG - agenda for 15th of october call - today (from mountie.lee@mw2.or.kr on 2012-10-15)
  27. W3C Web Crypto WG - agenda for 15th of october call - today (from Virginie.GALINDO@gemalto.com on 2012-10-15)
  28. RE: crypto-ISSUE-15: Discovering certificates associated with (private) keys [Web Cryptography API] (from Virginie.GALINDO@gemalto.com on 2012-10-12)
  29. Re: crypto-ISSUE-15: Discovering certificates associated with (private) keys [Web Cryptography API] (from mountie.lee@mw2.or.kr on 2012-10-10)
  30. crypto-ISSUE-34 (certificate-format): Representation of certificates [Web Cryptography API] (from sysbot+tracker@w3.org on 2012-08-28)
  31. Re: crypto-ISSUE-30 (where is the key ?): How does the application know where the key is stored ? [Web Cryptography API] (from sleevi@google.com on 2012-08-27)
  32. [W3C Web Crypto WG] functional features list in draft API and issue tracker (from Virginie.GALINDO@gemalto.com on 2012-08-22)
  33. Re: [W3C Web Crypto WG] functional features list in draft API and issue tracker (from sleevi@google.com on 2012-08-21)
  34. [W3C Web Crypto WG] functional features list in draft API and issue tracker (from Virginie.GALINDO@gemalto.com on 2012-08-21)
  35. Re: Support for generic authentication tokens (from mzollinger@netflix.com on 2012-08-21)
  36. Re: Support for generic authentication tokens (from sleevi@google.com on 2012-08-17)
  37. Re: Support for generic authentication tokens (from mzollinger@netflix.com on 2012-08-14)
  38. RE: crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API] (from Vijay.Bharadwaj@microsoft.com on 2012-08-14)
  39. Re: Support for generic authentication tokens (from sleevi@google.com on 2012-08-10)
  40. Support for generic authentication tokens (from mzollinger@netflix.com on 2012-08-10)
  41. Re: crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API] (from hhalpin@w3.org on 2012-08-08)
  42. Re: crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API] (from ddahl@mozilla.com on 2012-08-08)
  43. Re: crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API] (from mountie.lee@mw2.or.kr on 2012-08-06)
  44. crypto-ISSUE-15: Discovering certificates associated with (private) keys [Web Cryptography API] (from sysbot+tracker@w3.org on 2012-08-06)
  45. New Editor's Draft (from sleevi@google.com on 2012-08-05)
  46. Re: crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API] (from sleevi@google.com on 2012-08-05)
  47. Re: crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API] (from sleevi@google.com on 2012-08-05)
  48. Re: crypto-ISSUE-15: Discovering certificates associated with (private) keys [Web Cryptography API] (from sleevi@google.com on 2012-08-05)

Related notes:

Editor suggests to keep this issue for after the FPWD (see http://lists.w3.org/Archives/Public/public-webcrypto/2012Aug/0020.html)

Virginie GALINDO, 13 Aug 2012, 14:57:14

Display change log ATOM feed

Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 15.html,v 1.1 2017/02/13 16:16:50 ted Exp $