Credential Management suggestion CertificateExchangeCrendential type


#1

After reading the spec (see my notes here), and a conversation with people in the security industry, a question came up to mind (in context) and I thought i’d create a separate thread from the announcement.

We could have a CertificateExchangeCredential type from which the browser could manage its locally stored certificates. A user could have many web browsers with their own certificates.

A way to go might be that we can send a list of “acceptable” public certificates only once the user is already signed in.

Next sign-on process would only be to make a handshake with one of his previously generated private certificates. Provided the user previously did whitelist his certificates from his current browser last time he was authenticated.

Benefits from this is that a user could control the number of certificates he has, use it on more than one site, and use the browser itself to manage them.

It this out of scope? Has this been suggested?

PS I might be wrong and I know its close to WebID. But I still have doubts it had been implemented like this yet.


Can we get a "Security" category?
#2

It’s an interesting concept certainly, I’m not sure I understand fully the process flow you are suggesting.

  • Is the certificate TLS related or some of key to encrypt the data lower down the stack?
  • So the first use of CertificateExchangeCredential doesn’t use the certificate?
  • Is the main line of security here ‘a priori’ with using a previous certificate to encrypt from the browser to get another certificate on completion?
  • Would the user need to approve adding these certificates?