- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 04 Nov 2013 06:41:48 +0100
- To: Web Payments CG <public-webpayments@w3.org>
I've seen the discussion regarding HTTP-keys versus JOSE/WebCrypto. IMO, the exact format of a server-initiated signature is not "mission-critical", the only true requirement is that it is verifiable. There are already a lot of systems out there using CMS and XML DSig. The real problem with signatures is when they are initiated in the client-end by a human user looking at a transaction request on the web. For that purpose there are currently NO standards. To my knowledge there's currently a single proposal on the table: http://webpki.org/papers/PKI/pki-webcrypto.pdf Well, in theory WebCrypto can already do this but I think it won't happen until Google releases their U2F scheme which doesn't rely on WebCrypto's key-generation -storage and -protection features but comply with the rest. None of these schemes depend on any particular signature format on business transactions, because that would seriously hamper adoption. Anders
Received on Monday, 4 November 2013 05:42:18 UTC