W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: Web Sigining in Action

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Tue, 24 Mar 2009 21:37:52 +0100
Message-ID: <CCBF858FB49F46BE85CB621898C14CD0@AndersPC>
To: <marcosc@opera.com>, "channy" <channy@gmail.com>
Cc: "WebApps HG" <public-webapps@w3.org>, "Jungshik Shin" <jungshik@google.com>, "Gen Kanai" <gen@mozilla.com>, "Ian Hickson" <ian@hixie.ch>, "Thomas Roessler" <tlr@w3.org>
Hi Everybody,
There are simply TONS of issues related to usage of certificates in
conjunction with a browser.  If you want, you can take a peek at the
current thread "client certficates unusable?" in mozilla-dev :-)

I personally find it annoying that there are maybe some 100M USB
memory sticks in circulation that could have been a wonderful container
for keys but unfortunately it never happened.  Well, a few US compaines
tried to create proprietary solutions with SanDisk but (of course) they
all failed.  Who want to *pay* for a card driver?  It is really
something that you would like the OS to have from the beginning!

What does this have to do with Web Signing you may wonder?  Well, IMO we need
to take this in a step-wise fashion and if we can't even get the "keyring"´right, it seems
that the rest will be of secondary interest.  That doesn't say I'm not interested in
Web Signing, I have just put it on the "back-burner" in favor of key storage and
execution.

The absence of a useful <keygen> standard is a disaster.  Will the browser-
vendors be able to address this issue?  I don't expect that.

Regarding Web Signing a large groups of banks have turned to MSFT to get
this solved.  I think they are overly optimistic about MSFT's capability and
interest in this area but it is a good thing that they are trying at least :-)

Based on 13 years of experience with eID, I believe most of the web "standards"
in this are will not come from standardization forums because they have proved
to good for really general purpose stuff, but much less successful for applications
like Web Sign and <keygen>.   A scheme like my current KeyGen2 would not
take less than 3 years to standardize and the result would probably be not be
very useful anyway.  Why?  Because there are too many choices and people
cannot work under such premisses.  Whatever <keygen> or WebSign we will
get, it will most certainly be an open source effort rather than a standard.

What W3C could/should standardize is a way to get XML protocols running
in a browser and leave the content parts to other groups.  IETF's KEYPROV
will fail as hard as XKMS did if we ignore the browser connection all the time.

Best regards
Anders


----- Original Message ----- 
From: "Marcos Caceres" <marcosc@opera.com>
To: "channy" <channy@gmail.com>
Cc: "WebApps HG" <public-webapps@w3.org>; "Jungshik Shin" <jungshik@google.com>; "Gen Kanai" 
<gen@mozilla.com>; "Anders Rundgren" <anders.rundgren@telia.com>; "Ian Hickson" <ian@hixie.ch>
Sent: Tuesday, March 24, 2009 19:59
Subject: Re: Web Sigining in Action


2009/3/22 Channy Yun <channy@gmail.com>:
> Dear Webapps W/G members,
>
> This is Channy Yun, one of web standards evangelists in Korea. I'm so glad to introduce myself in 
> this working group. I want to get advice from you about as following my issue. Please don't 
> hesitate to write your thought.
>
> Motivation
> As someone knows, Korea's browser monoculture has prevented tech innovations and user's choice 
> [1]. It was caused by wrong implementation of digital signature by Korean govenment's the law and 
> national PKI system. Its technique has been based on browser plugin as like Active X and Java 
> applet, so it also made many security problems on user's PC. Nowadays 15 million personal 
> certificates were issued and they are used in e-banking, trading and governmental sites to valid 
> user and transaction in Korea.
>

rght

> Similarly some of European countries also had national PKI system including Denmark [2], Spain and 
> etc. Denmark's system was opensourced [3], but it is also based on browser plugins. It were 
> dominated by VeriSign most of commercial market as like private CA service with issuing personal 
> certificate and transaction with digital signature.
>

right

> Many countries want to national CA and offer their service to citizen with assurance by law[4]. So 
> I thought it needed browser-based web signing model by bad example of Korea.
>

right

> History
> I and some people suggested this issue to WHATWG because it was solved by browser vendors. Anders 
> Rundgren also did own model of WASP - signing data in browser sessions[5] and I did adding digital 
> signature in <form> processing in HTML5.
>

right

> As following is history of this issue.
>
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-September/thread.html#7246
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-October/thread.html#7573
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-November/thread.html#7592
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/015513.html
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/thread.html#15522
> http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-March/thread.html#18919
>
> Ian recommended us to continue this discussion in Webapps W/G[6]. Andres also has tried another 
> effort to solve issue[7].
>

can you please send us a better summary.

> Rebuilding of Web Signing Profile
> Maybe this long history was recognized by leading people of this group. I don’t convince whether 
> the activity of web signing profile was made by this purpose or not. But, it seems to integrate 
> with Widget’s digital signature and there is no action further.
>

I dont understand. can you please make your comments against the
current editor's draft of our spec?

> As you know, the technology situation was very changed in time raising this issue. Ajax was born 
> and there are many web applications based on open standards and Web APIs.
>

ok

> So I want for you to consider this issue in this working group with new baseline and for to 
> browser vendors to join this issue quickly before many countries commit a fault as like Korea. 
> Brower’s functions as like crypto.signText or IE’s CAPICOM dll were deprecated in right now. So it 
> is essential making new standard and implementation them.
>

I'm not sure what you wan us to do.

>
> Reference
> ------
> [1] http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s
> [2] http://www.virk.dk/digital_signatur
> [3] http://www.openoces.org/index.html
> [4] https://wiki.mozilla.org/CA:Schedule
> [5] http://webpki.org/
> [6] http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-March/018935.html
> [7] https://informationcard.net/wiki/index.php/Browser_Integration_WG
>
>
> Channy
> ---------------------
> http://www.linkedin.com/in/channy
> http://www.creation.net
>
> Daum Developers Network & Affiliates
> http://dna.daum.net
>



-- 
Marcos Caceres
http://datadriven.com.au 
Received on Tuesday, 24 March 2009 20:38:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT