Binary file spec/img/keygen-sequence.graffle/data.plist has changed

Binary file spec/img/keygen-sequence.graffle/image1.pdf has changed

Binary file spec/img/keygen-sequence.graffle/image3.png has changed

Binary file spec/img/keygen-sequence.graffle/image4.tiff has changed

Binary file spec/img/keygen-sequence.png has changed

--- a/spec/tls-respec.html	Fri Aug 09 08:27:40 2013 +0200
+++ b/spec/tls-respec.html	Fri Aug 09 15:39:34 2013 +0200
@@ -602,8 +602,26 @@
 <p>Many tools exist to create Certificates. 
 Some <tref>Key Store</tref>s allow a user to create the Certificate directly with a friendly User Interface. 
 But using a <tref>Key Store</tref> on the client still requires the public key to be published on the server as detailed in the next section.
-It is possible to combine the creation of the key with its publication in one step in such a way as to allow the server to make the decision of what the <tref>WebID</tref> should be, by using the <a href="http://www.w3.org/TR/html5/the-button-element.html#the-keygen-element">HTML 5 keygen</a> element. 
-This element can be placed in an HTML5 form, where on submitting the form, the browser asks the <tref>Key Store</tref> to create a public and private key pair, and on receiving the public part of that key pair, the Client can send a key request as part of the form to the <tref>Service</tref>. The <tref>Service</tref> can then create a <tref>WebID Certificate</tref> and return it to the <tref>Client</tref> to pass onto the <tref>Key Store</tref>. In that way the Server is in the position to best make the decisions of what the <tref>Certificate</tref> should say and what the <tref>WebID</tref> should be without the private key ever leaving the secure <tref>Key Store</tref>. The user experience for this Certificate creation is a one click operation.
+It is possible to combine the creation of the key with its publication in one step in such a way as to allow the server to make the decision of what the <tref>WebID</tref> should be, by using the <a href="http://www.w3.org/TR/html5/forms.html#the-keygen-element">HTML 5 keygen</a> element which can be added to an HTML form, as shown in this example:
+</p>
+<pre>
+  &lt;form action="/srv/certificateMaker" method="POST"&gt; 
+   &lt;keygen challenge="random" name="spkac"/&gt;
+   &lt;input type="submit" name="Create Certificate"/&gt;
+  &lt;/form&gt;
+</pre>
+<p>
+When the user clicks such a form, the following sequence can take place on a properly configured server:
+</p>
+<ol>
+ <li>just before it submits the form, the browser asks the Key Store to create a public and private key pair, and saves the private key in its local <tref>Key Store</tref> 
+ <li>the browser then sends the public part of the key in the spkac format along with any additional attribute values from the form to the certificate maker form handler with an HTTP <code>POST</code>
+ <li>The Certificate Maker service can then create an X509 Certificate with the user's WebID filled in the Subject Alternative Name field and return this to the Client
+ <li>the browser on receiving the response find the matching private key and places both in the Key Store
+</ul>
+<img alt="Keygen Sequence Diagram" src="img/keygen-sequence.png" />
+<p>The private key never leaves the secure Key Store. This exchange allows the Server to make the decision about what the Certificate should say, what the WebID should be, and to simultaneously add the public key to the User's <tref>WebID Profile</tref> page. The user experience for this Certificate creation is a one click operation. 
+</p>
 </section>
 </section>
 <section class='normative'>
@@ -614,7 +632,7 @@
 
 <p class="note">The <a href="http://www.w3.org/ns/auth/cert#">cert ontology</a> will be extended to cover DSA, Eliptic Curve Cryptography, and other cryptographic alogrithms as requests for them are made, proposals accepted, and when enough working and compatible implementations can be shown to work. Please contact the <a href="http://www.w3.org/community/webid/">WebID Comunity Group</a> with requests and proposals.</p>
 The set of relations to be published at the <tref>WebID Profile</tref> document can be presented in a graphical notation as follows.</p>
-<img alt="Web ID graph" width="90%" src="img/WebIdGraph.jpg"/>
+<img alt="Web ID Profile Publication" width="90%" src="img/WebIdGraph.jpg"/>
 <p>The document can publish many more relations that are of interest to the WebID-TLS protocol, as shown in the above graph by the grayed out relations. 
 For example Bob can publish a depiction or logo, so that sites he authenticates to can personalize the user experience. He can post links to people he knows, where those have <tref>WebID</tref>s published on other sites, in order to create a distributed Social Web. 
 He can also publish relations to protected documents, where he keeps more information for people who authenticate, such as his friend Alois or his friends friends who may not yet know him personally, such as Alice.
@@ -711,7 +729,7 @@
  Once the verification succeeds the Guard checks to see if the Agent identified by the <tref>WebID</tref> is allowed access to the resource, by using trusted information from the Web and access control rules. 
 </p>
 
-<img width="90%" src="img/WebIDSequence-friendly.png">
+<img align="left" alt="WebID Sequence Diagram" width="90%" src="img/WebIDSequence-friendly.png">
 <p>The steps in detail are as follows:</p>
 <ol>
     <li><tref>Bob</tref>'s <tref>Client</tref> MUST open a TLS [[!TLS]] connection with the server which authenticates itself using the standard TLS protocol.