On 6 Aug 2011, at 17:01, David Dahl wrote:
> Henry,
>
> Your login and logout concept is a perhaps parallel to the sessions
> functionality in Mozilla's Identity work:
> https://wiki.mozilla.org/Identity/Verified_Email_Protocol/Latest-Session
David,
the logout() method I am speaking of is not a concept. It is part of Mozilla
and Internet Explorer and works. The Javascript is the following
---------
function logout(elem) {
if (document.all == null) {
if (window.crypto) {
try{
window.crypto.logout();
return false; //firefox ok -- no need to follow the link
} catch (err) {//Safari, Opera, Chrome -- try with tis session
breaking
}
} else { //also try with session breaking
}
} else { // MSIE 6+
document.execCommand('ClearAuthenticationCache');
return false;
};
return true
}
function login(elem) { logout(elem) }
-----
Then you can just put the following html in your page
<a href={"/user/joe/control-panel"}>Joe</a>|<a href="/logout" onclick="return
logout();">logout</a>
And Firefox and I believe MS will logout. I will have a server up demonstrating
that in the next few days.
This is the right way to close a TLS session. The browser then can ask the user
to choose a new certificate, certain that this was indeed what the user wanted.
So the above is at a different layer from what Mozilla is doing with the
verified e-mail protocol, since Mozilla is working on the verified e-mail
protocol but already has the logout() method.
If the verified e-mail protocol is the same as what is now known as BrowserId,
then I also support work in that area. But there are many organisations that
would find TLS client certificate usage dramatically improved if they could
just help the browser log out cleanly at the TLS layer. Specifying this can't
be that much work, and would help guide people in the right direction here.
Henry
>
>
> Cheers,
>
> David
>
> ----- Original Message -----
> From: "Henry Story" <[email protected]>
> To: "David Dahl" <[email protected]>
> Cc: [email protected], [email protected]
> Sent: Saturday, August 6, 2011 9:05:15 AM
> Subject: Re: TLS Logout - Re: [whatwg] window.cipher HTML crypto API draft
> spec
>
>
> On 6 Aug 2011, at 16:01, David Dahl wrote:
>
>> Henry:
>>
>> There is no reason a login and logout (that work properly) cannot be added
>> to window.crypto, however, the scope and focus of 'DOMCrypt' is as
>> narrowly-defined as possible. Adding features like this would only slow
>> progress.
>
> David, this is a really essential feature. If you are worried that one method
> call can slow progress of DOMCrypt, then where do you think that should be
> standardised?
>
> Or perhaps someone else has an opinion here?
>
> Henry
>
>>
>> Regards,
>>
>> David
>>
>> ----- Original Message -----
>> From: "Henry Story" <[email protected]>
>> To: "David Dahl" <[email protected]>
>> Cc: [email protected], [email protected]
>> Sent: Saturday, August 6, 2011 6:16:22 AM
>> Subject: TLS Logout - Re: [whatwg] window.cipher HTML crypto API draft spec
>>
>> Hi,
>>
>> I have been looking at how a client can logout from a TLS session recently,
>> so that if a user
>> sends the wrong certificate to the server, the server can propose a way for
>> the user to choose a
>> different one.
>>
>> The correct way to do this would be to build it right into the browser, so
>> that at all times the user is in control of his Persona, i.e. to extend Aza
>> Raskin's work to the TLS layer [1].
>>
>> The second best way is to have a Javascript API to logout the user, that web
>> page authors can use to offer this feature. Firefox and Internet explorer
>> have such an API. The Firefox one is described in the WebCrypto API [2] by
>> Channy Yun, which was discussed on this list recently.
>>
>> The code to run both in IE and Firefox is quite simple. I submitted a bug
>> report to Chrome with the
>> code to suggest that they could implement this there too
>>
>> http://code.google.com/p/chromium/issues/detail?id=90676
>>
>> But they want the DOMCrypt spec approval before implementing. Is that
>> something that could be added to DOMCrypt? Or should one look somewhere
>> else?
>>
>> This is a really simple function, but it is so useful.
>>
>> Henry
>>
>>
>> [1] http://www.azarask.in/blog/post/identity-in-the-browser-firefox/
>> [2] http://html5.creation.net/webcrypto-api/
>> (the login method does not work currently in Firefox, on has to use
>> logout, where the connection then asks the client for a certificate)
>>
>>
>>
>>
>>
>> On 20 May 2011, at 17:04, David Dahl wrote:
>>
>>> Hello WHATWG members,
>>>
>>> With user control and privacy in mind, I have created a spec and an
>>> implementation for an easy to use cryptography API called DOMCrypt. This
>>> API will provide each web browser window with a 'cipher' property that
>>> facilitates:
>>>
>>> * asymmetric encryption key pair generation
>>> * public key encryption
>>> * decryption
>>> * signature generation
>>> * signature verification
>>> * hashing
>>> * easy public key discovery via meta tags
>>>
>>> I have created a Firefox extension that implements all of the above, and am
>>> working on an experimental patch that integrates this API into Firefox.
>>>
>>> The draft spec is here:
>>> https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest
>>>
>>> The project originated in an extension I wrote, the home page is here:
>>> http://domcrypt.org
>>>
>>> The source code for the extension is here:
>>> https://github.com/daviddahl/domcrypt
>>>
>>> The Mozilla bugs are here:
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=649154
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=657432
>>>
>>> You can test the API by installing the extension hosted at domcrypt.org and
>>> addons.mozilla.org, and going to http://domcrypt.org
>>>
>>> Best Regards,
>>>
>>> David Dahl
>>>
>>> Firefox Engineer, Mozilla Corp.
>>
>> Social Web Architect
>> http://bblfish.net/
>>
>
> Social Web Architect
> http://bblfish.net/
>
Social Web Architect
http://bblfish.net/
