- From: Channy Yun <channy@gmail.com>
- Date: Fri, 27 Mar 2009 03:38:56 +0900
- To: marcosc@opera.com
- Cc: WebApps HG <public-webapps@w3.org>, Jungshik Shin <jungshik@google.com>, Gen Kanai <gen@mozilla.com>, Anders Rundgren <anders.rundgren@telia.com>, Ian Hickson <ian@hixie.ch>
- Message-ID: <3586624e0903261138w3bfcfce1i1c9ff7918f3859dc@mail.gmail.com>
Dear Marcos Caceres, Thanks for your kind reply. Sorry my delay. > Ian recommended us to continue this discussion in Webapps W/G[6]. Andres > also has tried another effort to solve issue[7]. > > > > can you please send us a better summary. As you know, most of certificate service consist of three steps: 1. Issuing of personal certificate 2. Authentication and validation per each certificate 3. Digital signing for valid text or document. I meant this full process was lack in web browser right now, anyway many private or public CAs have did it in web browser. It means they couldn't help using plug-in method for missing link. I know some of european government also used plugins (http://www.openoces.org/index.html) as well as Verisign's private CA service. Actually all of plugins had same functions and cost in duplicated. In case of Korea, there are over 40 same function Active X plugin per each CA or PKI companies. If there is good spec. for web browser, it can be implemented soon. All browser already had certificate storage that issued personal certificates can be managed and own PKI library (open source or not) that validates certificate and does digital signing. Actually there were "issuing certificate" in web browser such as such as "text-signing functions" in web browser such as crypto.signText() and Microsoft capicom.dll. So I suggested form-based signing such as <form signed="signined"> in HTML5 spec. If web browser count this form, it can be proceeded choosing certificate, signing text and send to server. Ian thought there are many apps based consideration not for only HTML spec. He recommended for me to suggest it in this w/g. > > > Rebuilding of Web Signing Profile > > Maybe this long history was recognized by leading people of this group. I > don’t convince whether the activity of web signing profile was made by this > purpose or not. But, it seems to integrate with Widget’s digital signature > and there is no action further. > > > > I dont understand. can you please make your comments against the > current editor's draft of our spec? I don't blame for your current widget:digital signature and just wondered whether "web signing profile" is limited widget area or not. I still thank you and member's job for developing current spec and it'll be useful trust-building among widget vendors, providers and users. So my suggestion is complete another about your current job and want for w/g member to consider for future job. > So I want for you to consider this issue in this working group with new > baseline and for to browser vendors to join this issue quickly before many > countries commit a fault as like Korea. Brower’s functions as like > crypto.signText or IE’s CAPICOM dll were deprecated in right now. So it is > essential making new standard and implementation them. > > > > I'm not sure what you wan us to do. Mine is very simple: Finding simple job in web browser to support full process of digital signing. In view of webapps, all of functions have better be declared by Javascript interface. It may be similar with old IE's capicom method http://msdn.microsoft.com/en-us/library/aa388154%28VS.85%29.aspx or http://docs.sun.com/source/816-6152-10/sgntxt.htm. Simple scheme is as followng fuctions: 1. issuing and validation of personal certificate auth.ceritificate.issue() auth.certificate.revoke() auth.certificate.validate() for OCSP protocol. 2. digital signing. auth.certificate.open() auth.certificate.validate() auth.signText() auth.signXML() auth.send() - xmlhttprequest.send() auth.close() e.x. resultString = auth.signText(stringToSign, caOption, [caNameString1, [caNameString2, . . . ]]) Channy
Received on Thursday, 26 March 2009 18:39:38 UTC