70 likes | 223 Vues
WebCert - SOP. 2013. 7. 19. Sangrae Cho Authentication Research Team. Korean banking use case. 2. Issue certificate. Web Browser. 1. Public key pair is generated in the browser. 4. Verify certificate. 3. use certificate (digital signature). bank.com.
E N D
WebCert - SOP 2013. 7. 19. Sangrae Cho Authentication Research Team
Korean banking use case 2. Issue certificate Web Browser 1. Public key pair is generated in the browser. 4. Verify certificate 3. use certificate(digital signature) bank.com Origin for certificate issueOrigin for certificate use caserver.com
Proposed solution Wire transfer request Wire transfer page for digital signature Trusted CA List web client • No trusted CA list – SOP governs • Private key belongs to the origin server • Trusted CA list – SOP exception • Display any certificate that is issued by trusted CAs • Private key belongs to a user • The user can prove its ownership by decrypting the encrypted private key bank.com
Proposed solution Preconditions • Suppose we have javascript API to discover a certificate • Certificate [] = getCertificate(String trustedCAList) • Certificates belonging to Trusted CA will be returned if trustedCAList provided • Certificate belonging to the origin will be return if no trustedCAList provided • The following certificate are issued • cert1 = Certificate issued from bank.com • cert2 = Certificate issued from caserver.com web client
Proposed solution • Case 1: No trusted CA list – SOP governs 1. Wire transfer request 2. Html page for digital signature with no Trusted CA List 3. page returned with digital signature for wire transfer web client • After receiving no. 2 • getCertificate(); is executed with no Trusted CA list • getCertificate(); returns cert1(issued from bank.com) according to SOP • The user signs the page digitally with cert1 related private key and send it to bank.com bank.com
Proposed solution • Case 2: Trusted CA list – SOP exception 1. Wire transfer request 2. Html page for digital signature with Trusted CA List 3. page returned with digital signature for wire transfer web client • After receiving no. 2 • getCertificate(); is executed with trustedCAList = “caserver.com” • getCertificate(); returns cert2(issued from caserver.com) according to SOP exception • The user signs the page digitally with cert2 related private key and send it to bank.com bank.com