Web Sigining in Action

Dear Webapps W/G members,

This is Channy Yun, one of web standards evangelists in Korea. I'm so glad
to introduce myself in this working group. I want to get advice from you
about as following my issue. Please don't hesitate to write your thought.

*Motivation*
As someone knows, Korea's browser monoculture has prevented tech innovations
and user's choice [1]. It was caused by wrong implementation of digital
signature by Korean govenment's the law and national PKI system. Its
technique has been based on browser plugin as like Active X and Java applet,
so it also made many security problems on user's PC. Nowadays 15 million
personal certificates were issued and they are used in e-banking, trading
and governmental sites to valid user and transaction in Korea.

Similarly some of European countries also had national PKI system including
Denmark [2], Spain and etc. Denmark's system was opensourced [3], but it is
also based on browser plugins. It were dominated by VeriSign most of
commercial market as like private CA service with issuing personal
certificate and transaction with digital signature.

Many countries want to national CA and offer their service to citizen with
assurance by law[4]. So I thought it needed browser-based web signing model
by bad example of Korea.

*History*
I and some people suggested this issue to WHATWG because it was solved by
browser vendors. Anders Rundgren also did own model of WASP - signing data
in browser sessions[5] and I did adding digital signature in <form>
processing in HTML5.

As following is history of this issue.

http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-September/thread.html#7246
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-October/thread.html#7573
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-November/thread.html#7592
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/015513.html
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/thread.html#15522
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-March/thread.html#18919

Ian recommended us to continue this discussion in Webapps W/G[6]. Andres
also has tried another effort to solve issue[7].

*Rebuilding of Web Signing Profile*
Maybe this long history was recognized by leading people of this group. I
don’t convince whether the activity of web signing profile was made by this
purpose or not. But, it seems to integrate with Widget’s digital signature
and there is no action further.

As you know, the technology situation was very changed in time raising this
issue. Ajax was born and there are many web applications based on open
standards and Web APIs.

So I want for you to consider this issue in this working group with new
baseline and for to browser vendors to join this issue quickly before many
countries commit a fault as like Korea. Brower’s functions as like
crypto.signText or IE’s CAPICOM dll were deprecated in right now. So it is
essential making new standard and implementation them.

*
Reference*
------
[1] http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s
[2] http://www.virk.dk/digital_signatur
[3] http://www.openoces.org/index.html
[4] https://wiki.mozilla.org/CA:Schedule
[5] http://webpki.org/
[6]
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-March/018935.html
[7] https://informationcard.net/wiki/index.php/Browser_Integration_WG


Channy
---------------------
http://www.linkedin.com/in/channy
http://www.creation.net

Daum Developers Network & Affiliates
http://dna.daum.net

Received on Sunday, 22 March 2009 09:52:22 UTC