Re: Web Sigining in Action

Dear Marcos Caceres,

Thanks for your kind reply. Sorry my delay.

> Ian recommended us to continue this discussion in Webapps W/G[6]. Andres
> also has tried another effort to solve issue[7].
> >
>
> can you please send us a better summary.


As you know, most of certificate service consist of three steps: 1. Issuing
of personal certificate 2. Authentication and validation per each
certificate 3. Digital signing for valid text or document.

I meant this full process was lack in web browser right now, anyway many
private or public CAs have did it in web browser. It means they couldn't
help using plug-in method for missing link. I know some of european
government also used plugins (http://www.openoces.org/index.html) as well as
Verisign's private CA service. Actually all of plugins had same functions
and cost in duplicated. In case of Korea, there are over 40 same function
Active X plugin per each CA or PKI companies. If there is good spec. for web
browser, it can be implemented soon.

All browser already had certificate storage that issued personal
certificates can be managed and own PKI library (open source or not) that
validates certificate and does digital signing. Actually   there were
"issuing certificate" in web browser such as such as "text-signing
functions" in web browser such as crypto.signText() and Microsoft
capicom.dll.

So I suggested form-based signing such as <form signed="signined"> in HTML5
spec. If web browser count this form, it can be proceeded choosing
certificate, signing text and send to server. Ian thought there are many
apps based consideration not for only HTML spec. He recommended for me to
suggest it in this w/g.



>
> > Rebuilding of Web Signing Profile
> > Maybe this long history was recognized by leading people of this group. I
> don’t convince whether the activity of web signing profile was made by this
> purpose or not. But, it seems to integrate with Widget’s digital signature
> and there is no action further.
> >
>
> I dont understand. can you please make your comments against the
> current editor's draft of our spec?


I don't blame for your current widget:digital signature and just wondered
whether "web signing profile" is limited widget area or not. I still thank
you and member's job for developing current spec and it'll be useful
trust-building among widget vendors, providers and users.

So my suggestion is complete another about your current job and want for w/g
member to consider for future job.


> So I want for you to consider this issue in this working group with new
> baseline and for to browser vendors to join this issue quickly before many
> countries commit a fault as like Korea. Brower’s functions as like
> crypto.signText or IE’s CAPICOM dll were deprecated in right now. So it is
> essential making new standard and implementation them.
> >
>
> I'm not sure what you wan us to do.


Mine is very simple: Finding simple job in web browser to support full
process of digital signing. In view of webapps, all of functions have better
be declared by Javascript interface. It may be similar with old IE's capicom
method http://msdn.microsoft.com/en-us/library/aa388154%28VS.85%29.aspx or
http://docs.sun.com/source/816-6152-10/sgntxt.htm.

Simple scheme is as followng fuctions:

1. issuing and validation of personal certificate
auth.ceritificate.issue()
auth.certificate.revoke()
auth.certificate.validate() for OCSP protocol.

2. digital signing.
auth.certificate.open()
auth.certificate.validate()
auth.signText()
auth.signXML()
auth.send() - xmlhttprequest.send()
auth.close()

e.x. resultString = auth.signText(stringToSign, caOption, [caNameString1,
[caNameString2, . . . ]])

Channy