- From: Ryan Hurst <ryan.hurst@gmail.com>
- Date: Fri, 09 Mar 2018 14:12:55 +0000
- To: NAZARE GONCALVES Bruno Goncalo <brunogoncalo.nazare@ext.europarl.europa.eu>
- Cc: Tony Arcieri <bascule@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <CALVZKwZMeagn6gp6dYeTwguLeZL63LyW4KcPzNne389zf=SSvQ@mail.gmail.com>
Bruno, You are correct, it is not possible to do a digital signature like you need using FIDO. You could use FIDO to authenticate to a remote server and in turn use that session to do the signature using a remote signing device (HSM, etc). Ryan On Fri, Mar 9, 2018 at 9:02 AM NAZARE GONCALVES Bruno Goncalo < brunogoncalo.nazare@ext.europarl.europa.eu> wrote: > Hello Tony, > > > > The actual goal is to be able to digitally sign documents, for instance > PDFs, using pre-provisioned keys contained in hardware tokens (interest > currently leaning on regular smartcards). > > > > I've previously looked at FIDO U2F, and even though I believe there could > be some openness here to the idea of USB keys (like the U2F authenticators) > I believe that's not the biggest drawback of FIDO U2F. From my > understanding of the technology, the FIDO API will take a challenge as > input to the signing operation, however, somewhere along the stack that > challenge will be wrapped in a larger structure and that's what will be > signed. This would mean that it is not possible to simply sign the hash of > a document, right? > > > > > > Best Regards, > > [image: cid:image001.png@01D36841.7642F960] > > *Bruno GONÇALVES* > > Functional Analyst External Provider > > > > *European Parliament* > > Directorate-General for Innovation and Technological Support > > Directorate for Development and Support > > Evolution and Maintenance Unit > > brunogoncalo.nazare@ext.europarl.europa.eu > > www.europarl.europa.eu > > > > > > > > > > *From:* Tony Arcieri [mailto:bascule@gmail.com] > *Sent:* 08 March 2018 00:38 > *To:* NAZARE GONCALVES Bruno Goncalo > *Cc:* public-web-security@w3.org > *Subject:* Re: Digital signatures in the browser > > > > Depending on what you mean by "smartcard" and how flexible your needs are, > FIDO U2F can be used to accomplish this in Chrome and Firefox today with no > additional software. Though U2F is an authentication standard, what it > exposes to the browser is effectively an API for performing ECDSA > signatures (w\ NIST P-256 elliptic curve) using an origin-specific key. > > > > On Wed, Mar 7, 2018 at 8:05 AM, NAZARE GONCALVES Bruno Goncalo < > brunogoncalo.nazare@ext.europarl.europa.eu> wrote: > > Dear Web Security IG, > > I'm currently working for the European Parliament, looking for upcoming > solutions to the problem of creating digital signatures with a smartcard > directly from a web page, without resorting to additional software. > > Thus, I would like to ask if there are any efforts currently underway to > support this use case or if any will be undertaken in the foreseeable > future. > > I'm aware of the following initiatives that could be somewhat related: > - WebCrypto Key Discovery (https://www.w3.org/TR/webcrypto-key-discovery/ > ) > - Web API For Accessing Secure Element ( > http://globalplatform.github.io/WebApis-for-SE/doc/) > - Hardware Based Secure Services features ( > https://rawgit.com/w3c/websec/gh-pages/hbss.html) > > Have these been considered already? If so, what's the current sentiment > surrounding them? If not, are there any plans to analyse these or similar > solutions in the foreseeable future? > > > Best Regards, > Bruno GONÇALVES > Functional Analyst External Provider > > European Parliament > Directorate-General for Innovation and Technological Support > Directorate for Development and Support > Evolution and Maintenance Unit > brunogoncalo.nazare@ext.europarl.europa.eu > www.europarl.europa.eu > > > > Ce message contient des informations confidentielles à l'intention > exclusive du destinataire. Il ne peut être utilisé, divulgué ou copié de > quelconque façon que ce soit par une personne autre que le destinataire > désigné. Si vous n'êtes pas le destinataire désigné, merci de contacter > l'expéditeur et d'effacer ce message. L'expéditeur de ce message n'est pas > mandaté à représenter le Parlement européen. Dès lors, ce message ne > constitue pas nécessairement le point de vue officiel du Parlement > européen, ni un engagement juridique opposable à ce dernier. > This message contains confidential information intended solely for the > attention of the named addressee. It may not be used, disclosed or copied > in any way whatsoever by anyone else than the intended addressee. If you > are not the intended addressee, please contact the sender and delete this > message. The sender of this message is not authorized to represent the > European Parliament and therefore this message does not necessarily reflect > the official position of the European Parliament and is not legally binding > upon it. > > > > > > > -- > > Tony Arcieri >
Attachments
- image/png attachment: image001.png
Received on Friday, 9 March 2018 14:13:29 UTC