RE: Digital signatures in the browser

Hello Tony,

The actual goal is to be able to digitally sign documents, for instance PDFs, using pre-provisioned keys contained in hardware tokens (interest currently leaning on regular smartcards).

I've previously looked at FIDO U2F, and even though I believe there could be some openness here to the idea of USB keys (like the U2F authenticators) I believe that's not the biggest drawback of FIDO U2F. From my understanding of the technology, the FIDO API will take a challenge as input to the signing operation, however, somewhere along the stack that challenge will be wrapped in a larger structure and that's what will be signed. This would mean that it is not possible to simply sign the hash of a document, right?


Best Regards,
[cid:image001.png@01D36841.7642F960]

Bruno GONÇALVES

Functional Analyst External Provider



European Parliament

Directorate-General for Innovation and Technological Support

Directorate for Development and Support

Evolution and Maintenance Unit

brunogoncalo.nazare@ext.europarl.europa.eu<mailto:brunogoncalo.nazare@ext.europarl.europa.eu>

www.europarl.europa.eu






From: Tony Arcieri [mailto:bascule@gmail.com]
Sent: 08 March 2018 00:38
To: NAZARE GONCALVES Bruno Goncalo
Cc: public-web-security@w3.org
Subject: Re: Digital signatures in the browser

Depending on what you mean by "smartcard" and how flexible your needs are, FIDO U2F can be used to accomplish this in Chrome and Firefox today with no additional software. Though U2F is an authentication standard, what it exposes to the browser is effectively an API for performing ECDSA signatures (w\ NIST P-256 elliptic curve) using an origin-specific key.

On Wed, Mar 7, 2018 at 8:05 AM, NAZARE GONCALVES Bruno Goncalo <brunogoncalo.nazare@ext.europarl.europa.eu<mailto:brunogoncalo.nazare@ext.europarl.europa.eu>> wrote:
Dear Web Security IG,

I'm currently working for the European Parliament, looking for upcoming solutions to the problem of creating digital signatures with a smartcard directly from a web page, without resorting to additional software.

Thus, I would like to ask if there are any efforts currently underway to support this use case or if any will be undertaken in the foreseeable future.

I'm aware of the following initiatives that could be somewhat related:
 - WebCrypto Key Discovery (https://www.w3.org/TR/webcrypto-key-discovery/)
 - Web API For Accessing Secure Element (http://globalplatform.github.io/WebApis-for-SE/doc/)
 - Hardware Based Secure Services features (https://rawgit.com/w3c/websec/gh-pages/hbss.html)

Have these been considered already? If so, what's the current sentiment surrounding them? If not, are there any plans to analyse these or similar solutions in the foreseeable future?


Best Regards,
Bruno GONÇALVES
Functional Analyst External Provider

European Parliament
Directorate-General for Innovation and Technological Support
Directorate for Development and Support
Evolution and Maintenance Unit
brunogoncalo.nazare@ext.europarl.europa.eu<mailto:brunogoncalo.nazare@ext.europarl.europa.eu>
www.europarl.europa.eu<http://www.europarl.europa.eu>



Ce message contient des informations confidentielles à l'intention exclusive du destinataire. Il ne peut être utilisé, divulgué ou copié de quelconque façon que ce soit par une personne autre que le destinataire désigné. Si vous n'êtes pas le destinataire désigné, merci de contacter l'expéditeur et d'effacer ce message. L'expéditeur de ce message n'est pas mandaté à représenter le Parlement européen. Dès lors, ce message ne constitue pas nécessairement le point de vue officiel du Parlement européen, ni un engagement juridique opposable à ce dernier.
This message contains confidential information intended solely for the attention of the named addressee. It may not be used, disclosed or copied in any way whatsoever by anyone else than the intended addressee. If you are not the intended addressee, please contact the sender and delete this message. The sender of this message is not authorized to represent the European Parliament and therefore this message does not necessarily reflect the official position of the European Parliament and is not legally binding upon it.





--
Tony Arcieri