HOME

TheInfoList



Click Here for Items Related To - SPKAC
OR:
SPKAC on:   [Wikipedia]   [Google]   [Amazon]

SPKAC (Signed Public Key and Challenge, also known as Netscape SPKI) is a format for sending a
certificate signing request In public key infrastructure (PKI) systems, a certificate signing request (CSR or certification request) is a message sent from an applicant to a certificate authority of the public key infrastructure (PKI) in order to apply for a digital identity ...
(CSR): it encodes a
public key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
, that can be manipulated using
OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS web ...
. It is created using the little documented HTML keygen element inside a number of Netscape compatible browsers.


Standardisation

There exists an ongoing effort to standardise SPKAC through an
Internet Draft An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...
in the
Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...
(IETF). The purpose of this work has been to formally define what has existed prior as a de facto standard, and to address security deficiencies, particular with respect to historic insecure use of
MD5 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as Request for Comments, RFC 1321. MD5 ...
that has since been declared unsafe for use with digital signatures as per RFC 6151.


Implementations

HTML5 originally specified the <keygen> element to support SPKAC in the browser to make it easier to create client side certificates through a
web service A web service (WS) is either: * a service offered by an electronic device to another electronic device, communicating with each other via the Internet, or * a server running on a computer device, listening for requests at a particular port over a n ...
for protocols such as
WebID WebID is a method for internet services and members to know who they are communicating with. The WebID specifications define a set oto prepare the process of standardization for identity, identification and authentication on HTTP-based networks. W ...
; however, subsequent work for HTML 5.1 placed the keygen element "at-risk", and the first public working draft of HTML 5.2 removes the keygen element entirely. The removal of the keygen element is due to non-interoperability and non-conformity from a standards perspective in addition to security concerns. The
World Wide Web Consortium The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working together in ...
(W3C) Web Authentication Working Group developed the
WebAuthn Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). Its primary purpose is to build a system of authentication for web-based applications that solves or mitigates the issues of traditional passwo ...
(Web Authentication) API to replace the keygen element. Bouncy Castle provides a Java class. An implementation for Erlang/OTP exists too. An implementation for Python is named pyspkac. PHP OpenSSL extension as of version 5.6.0. Node.js implementation.


Deficiencies

The user interface needs to be improved in browsers, to make it more obvious to users when a server is asking for the client certificate.


See also

* Simple public-key infrastructure (SPKI)


References


External links

* IETF draft
Signed Public Key and Challenge
*{{citation , url=http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080714/07ea5534/attachment.txt , title=An overview of how the keygen tag works with spkac in php , archive-url=https://archive.today/20130416090354/http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080714/07ea5534/attachment.txt , archive-date=2013-04-16 , url-status=dead
PHP v5.6 now supports SPKAC nativelyNative SPKAC support in PHP OpenSSL extension with release of v5.6.0-Alpha3Native SPKAC support in Node.js (with release of v0.11.8)SPKAC demo in Node.js (requires node.js release > v0.11.8)
Cryptography