W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2006

Re: RFC; new SignatureAlgorithm for web browser interop

From: Mikolaj Habryn <dichro@rcpt.to>
Date: Thu, 30 Mar 2006 11:00:57 +1100
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: w3c-ietf-xmldsig@w3.org
Message-Id: <1143676858.4507.15.camel@mh.optusnet.com.au>
On Wed, 2006-03-29 at 22:22 +0200, Anders Rundgren wrote:
> I tried it but got an internal error.  Maybe the certificate issued by "SuckerTrust"
> for a user with the e-mail address boss@fire.hell was the culprit. :-)

Firefox, at least, is very finicky about what certificates it will
permit itself to use for the crypto.signText operation. Things that have
tripped me up so far include ensuring that: the CA cert is trusted for
the right things by the browser, the purpose bits are right on the
certificate, there's a master security password set in the browser (!),
and that the CA certificate has correctly formatted X509 fields.
Regrettably, the only way that you know if there's a problem is when
crypto.signText failes with 'error:internalError'. c'est la Mozilla.

I've attached a client certificate (password frog) and the corresponding
CA certificate - these work for me. YMMV. Be sure to trust the CA cert
or the purpose of the client certificate will show up as 'Unknown' and
it won't work.

> Apart from that, I have no objections to the conversion scheme,
> akthough I would like to see some more documentation if possible.

I'll keep the list apprised of progress; the next steps will be sorting
out key generation using the browser's CRMF request method, formalizing
the XML schema, and putting an AJAX frontend using this technique (and
including key generation) on the front of the existing web applications.

> The latter will
> be launched next week at the NIST PKI Workshop.

That's a somewhat annoying mis-schedule on my part - had I started
working on this a few months earlier, and realized the workshop was on,
I'd probably have attended. Ah well. I presume there'll be proceedings
published at some point.

m.


-----BEGIN CERTIFICATE-----
MIID6jCCA1OgAwIBAgIJAKWlHb3BAYdgMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
VQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZTeWRuZXkxEDAOBgNVBAoT
B01pa29sYWoxEDAOBgNVBAsTB01pa29sYWoxDTALBgNVBAMTBGZpc2gxIDAeBgkq
hkiG9w0BCQEWEWRpY2hyby1jYUByY3B0LnRvMB4XDTA2MDMxOTIyNTAzMFoXDTE2
MDMxNjIyNTAzMFowgYExCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNV
BAcTBlN5ZG5leTEQMA4GA1UEChMHTWlrb2xhajEQMA4GA1UECxMHTWlrb2xhajEN
MAsGA1UEAxMEZmlzaDEgMB4GCSqGSIb3DQEJARYRZGljaHJvLWNhQHJjcHQudG8w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKt0iAf4RkJCvrgccxkYnh9lqUfw
l9aXxNHjE2tQclaay17qI83Ppv1Ee28dFt//VRfJSNDYX8IuJM9GBaVQ8qkCF8OU
C8DMqxu35naliHxJfAACHCbM2/YEff/Ozkh3b+DZjFDjnFIbeRo6MFrbZ41q7/LS
jxlzhVO5MVR1xEVDAgMBAAGjggFmMIIBYjAdBgNVHQ4EFgQUDc4yUSZlsQfs3gFS
fiZ8O4lTxPEwgbYGA1UdIwSBrjCBq4AUDc4yUSZlsQfs3gFSfiZ8O4lTxPGhgYek
gYQwgYExCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5l
eTEQMA4GA1UEChMHTWlrb2xhajEQMA4GA1UECxMHTWlrb2xhajENMAsGA1UEAxME
ZmlzaDEgMB4GCSqGSIb3DQEJARYRZGljaHJvLWNhQHJjcHQudG+CCQClpR29wQGH
YDAPBgNVHRMBAf8EBTADAQH/MBEGCWCGSAGG+EIBAQQEAwIBBjAJBgNVHRIEAjAA
MCsGCWCGSAGG+EIBDQQeFhxUaW55Q0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMBwG
A1UdEQQVMBOBEWRpY2hyby1jYUByY3B0LnRvMA4GA1UdDwEB/wQEAwIBBjANBgkq
hkiG9w0BAQUFAAOBgQAtdx7hbBJYWW7DC0RPEVpWChpJ5reXiVcits5yIyRmyZDn
qqyrpvrsIRWsh11o3WyeKcee9TiETIOcOMK5WMgRuclgrsFSVUTZZfmoqAOKXgtm
v9ro71ao6sld6yxIIo9owdygdzFO999UiErVXwecb8ZdryElMpooGBsl2pE/ig==
-----END CERTIFICATE-----



Received on Thursday, 30 March 2006 00:02:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:21:40 UTC