W3C home > Mailing lists > Public > public-webcryptoapi@w3.org > December 2012

Re: signing text in browser with client certificate

From: TRON-DELTA.ORG <info@tron-delta.org>
Date: Thu, 27 Dec 2012 02:11:54 +0100
Message-ID: <50DBA05A.2020709@tron-delta.org>
To: public-webcryptoapi@w3.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I found the following within the document [D1] »Web Cryptography API« (W3C
Working Draft 13 September 2012), chapter 4.4 (Out of scope):

"This API, while allowing applications to generate, retrieve, and manipulate [..]"

As far as I can see this is also the latest published version. As I understand
from the document it does not define the way of implementation itself. Therefore
your question regarding obstacles is indeed a valid one!

I think it is mandatory to ensure that the user agent does not get compromised
(a lot of techniques are required here) and the local certs are kept safe by all
means (even when the user agent was compromised). I think a special UI is not
necessary here but an extension of configuration menus, maybe a generator for
certs, a checker/validator, and something like that. Maybe this could look a
little bit like the OpenPGP menu and config stuff for e.g. in Thunderbird. This
is for the client-side implementation.

Finally I recommend you to read chapters 5 (Security considerations), 6 (Privacy
considerations), 9 (Algorithm dictionary) since one should not use arbitrary
algorithms and chapter 10ff. (Key interface). The chapters following 10 are all
more or less related to the interface. Chapter 23 (Algorithms) covers the used
algorithms and chapter 25 (JavaScript Example Code) contains an example in
JavaScipt.
This is for the server-side implementation.

I hope that was helpful to you! ;-)

[D1] http://www.w3.oorg/TR/2012/WD-WebCryptoAPI-20120913/#scope-out-of-scope


Kind regards

Mathias Hollstein
TRON-DELTA.ORG
Non-Governmental Intelligence Organization
Frankfurt, Germany

http://tron-delta.org
http://sourceforge.net/users/hollstein/
http://www.xing.com/profile/Mathias_Hollstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFQ26Ba0mYqV95pe8wRAuTrAJ9A3X9vviAIeLHvqqTr6Eo1dapMdwCffrVK
NxmoEiRBHNHyOelPbBZ9g7U=
=2FOX
-----END PGP SIGNATURE-----
Received on Saturday, 29 December 2012 12:17:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 29 December 2012 12:17:40 GMT