W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: Web Sigining in Action

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Thu, 26 Mar 2009 22:01:16 +0100
Message-ID: <13EA7D94DD2C4BF9A2E34B74CEC060B1@AndersPC>
To: <channy@gmail.com>
Cc: <marcosc@opera.com>, "WebApps HG" <public-webapps@w3.org>, "Jungshik Shin" <jungshik@google.com>, "Gen Kanai" <gen@mozilla.com>, "Ian Hickson" <ian@hixie.ch>, "Thomas Roessler" <tlr@w3.org>
Hi Channy,

I think there are several project that we need to do in order to succeed.
Smart cards as provided in the EU typically only manges to support a single CA.
But that works bad because we have many providers and they are unlikely to settle on a single CA.
As an example most employers would typically run CAs for employees, something which is trivial if you have MSFT AD.

Open KeyStore
That's why I am in the process of launcing Open KeyStore which is based on cheap reprogrammed USB memory sticks with India, China, Africa and Latin America as the primary (but not only) target.

Web Signing
I'm not completely buying into the signature concept you propose and that explains a bit why things are going so slow :-)
I personally believe that you should only sign static data on the web because this reflects how most web transactions work today.
1. First you build up a transaction request
2. Then you say "chekout", "ready" or similar
3. Then you get presented with a static form showing what you are requesting plus an OK button
The point with this is that you don't have to change anything in HTML in order to sign, you just run the signature algorithm over the static view.  Yes, my WASP proposal is a bit more than that but that's because I want to be able to sign HTML with embedded images, as well as PDF, JPG, DOC, etc etc.

Regards
Anders

  ----- Original Message ----- 
  From: Channy Yun 
  To: Anders Rundgren 
  Cc: marcosc@opera.com ; WebApps HG ; Jungshik Shin ; Gen Kanai ; Ian Hickson ; Thomas Roessler 
  Sent: Thursday, March 26, 2009 19:49
  Subject: Re: Web Sigining in Action


  Dear all,

  I agreed Andres said that it is unclear where a certain issue belong apps or not. I means everyone didn't care about this while many industrial vendors have made tireless same plugins in web space. Although Anders indicated there were less certificate applications, there are 14 million users in Korea and many countries have considered public CA area in web browser. Japan made own cryptographic algorithm called Camella with Nokia pushing it to all browsers. It means Japan is interested in offering public CA to all citizen. European I said.

  For several years, innovation from web browsers changed world. It's time to action not to only thinking and I believe that html5 and webapps w/g can do this. Frankly speaking, my suggestion is very old, but it's cost-effective for existing vendors both web browser and plugin based CAs. 

  Thanks,

  Channy
  ---------------------
  http://www.linkedin.com/in/channy

  Daum Developers Network & Affiliates
  http://dna.daum.net




  On Wed, Mar 25, 2009 at 7:00 AM, Anders Rundgren <anders.rundgren@telia.com> wrote:

    I think a problem is that it is unclear where a certain issue belong.

    IMO all of the stuff I wrote about belong to the app-area but some people
    think it is about security only.

    XML protocols in browsers is an app, at least as I see it.


    Anders

    ----- Original Message -----
    From: "Marcos Caceres" <marcosc@opera.com>

    To: "Anders Rundgren" <anders.rundgren@telia.com>
    Cc: "channy" <channy@gmail.com>; "WebApps HG" <public-webapps@w3.org>; "Jungshik Shin"
    <jungshik@google.com>; "Gen Kanai" <gen@mozilla.com>; "Ian Hickson" <ian@hixie.ch>; "Thomas
    Roessler" <tlr@w3.org>
    Sent: Tuesday, March 24, 2009 22:24
    Subject: Re: Web Sigining in Action



    On Tue, Mar 24, 2009 at 9:37 PM, Anders Rundgren
    <anders.rundgren@telia.com> wrote:
    > Hi Everybody,
    > There are simply TONS of issues related to usage of certificates in
    > conjunction with a browser. If you want, you can take a peek at the
    > current thread "client certficates unusable?" in mozilla-dev :-)
    >
    > I personally find it annoying that there are maybe some 100M USB
    > memory sticks in circulation that could have been a wonderful container
    > for keys but unfortunately it never happened. Well, a few US compaines
    > tried to create proprietary solutions with SanDisk but (of course) they
    > all failed. Who want to *pay* for a card driver? It is really
    > something that you would like the OS to have from the beginning!
    >
    > What does this have to do with Web Signing you may wonder? Well, IMO we need
    > to take this in a step-wise fashion and if we can't even get the "keyring"´right, it seems
    > that the rest will be of secondary interest. That doesn't say I'm not interested in
    > Web Signing, I have just put it on the "back-burner" in favor of key storage and
    > execution.
    >
    > The absence of a useful <keygen> standard is a disaster. Will the browser-
    > vendors be able to address this issue? I don't expect that.
    >
    > Regarding Web Signing a large groups of banks have turned to MSFT to get
    > this solved. I think they are overly optimistic about MSFT's capability and
    > interest in this area but it is a good thing that they are trying at least :-)
    >
    > Based on 13 years of experience with eID, I believe most of the web "standards"
    > in this are will not come from standardization forums because they have proved
    > to good for really general purpose stuff, but much less successful for applications
    > like Web Sign and <keygen>. A scheme like my current KeyGen2 would not
    > take less than 3 years to standardize and the result would probably be not be
    > very useful anyway. Why? Because there are too many choices and people
    > cannot work under such premisses. Whatever <keygen> or WebSign we will
    > get, it will most certainly be an open source effort rather than a standard.
    >
    > What W3C could/should standardize is a way to get XML protocols running
    > in a browser and leave the content parts to other groups. IETF's KEYPROV
    > will fail as hard as XKMS did if we ignore the browser connection all the time.

    I see. thanks for the history. However, what, if anything, should our
    working group do? I don't see anything that is in scope or anything
    directed at any one of our specifications. If we are screwing
    something up somewhere, then please be clear as to where and we will
    do our best to fix it.

    Kind regards,
    Marcos


    --
    Marcos Caceres
    http://datadriven.com.au
Received on Thursday, 26 March 2009 21:01:53 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT