Re: Web Sigining in Action

2009/3/22 Channy Yun <channy@gmail.com>:
> Dear Webapps W/G members,
>
> This is Channy Yun, one of web standards evangelists in Korea. I'm so glad to introduce myself in this working group. I want to get advice from you about as following my issue. Please don't hesitate to write your thought.
>
> Motivation
> As someone knows, Korea's browser monoculture has prevented tech innovations and user's choice [1]. It was caused by wrong implementation of digital signature by Korean govenment's the law and national PKI system. Its technique has been based on browser plugin as like Active X and Java applet, so it also made many security problems on user's PC. Nowadays 15 million personal certificates were issued and they are used in e-banking, trading and governmental sites to valid user and transaction in Korea.
>

rght

> Similarly some of European countries also had national PKI system including Denmark [2], Spain and etc. Denmark's system was opensourced [3], but it is also based on browser plugins. It were dominated by VeriSign most of commercial market as like private CA service with issuing personal certificate and transaction with digital signature.
>

right

> Many countries want to national CA and offer their service to citizen with assurance by law[4]. So I thought it needed browser-based web signing model by bad example of Korea.
>

right

> History
> I and some people suggested this issue to WHATWG because it was solved by browser vendors. Anders Rundgren also did own model of WASP - signing data in browser sessions[5] and I did adding digital signature in <form> processing in HTML5.
>

right

> As following is history of this issue.
>
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-September/thread.html#7246
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-October/thread.html#7573
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-November/thread.html#7592
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/015513.html
> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/thread.html#15522
> http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-March/thread.html#18919
>
> Ian recommended us to continue this discussion in Webapps W/G[6]. Andres also has tried another effort to solve issue[7].
>

can you please send us a better summary.

> Rebuilding of Web Signing Profile
> Maybe this long history was recognized by leading people of this group. I don’t convince whether the activity of web signing profile was made by this purpose or not. But, it seems to integrate with Widget’s digital signature and there is no action further.
>

I dont understand. can you please make your comments against the
current editor's draft of our spec?

> As you know, the technology situation was very changed in time raising this issue. Ajax was born and there are many web applications based on open standards and Web APIs.
>

ok

> So I want for you to consider this issue in this working group with new baseline and for to browser vendors to join this issue quickly before many countries commit a fault as like Korea. Brower’s functions as like crypto.signText or IE’s CAPICOM dll were deprecated in right now. So it is essential making new standard and implementation them.
>

I'm not sure what you wan us to do.

>
> Reference
> ------
> [1] http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s
> [2] http://www.virk.dk/digital_signatur
> [3] http://www.openoces.org/index.html
> [4] https://wiki.mozilla.org/CA:Schedule
> [5] http://webpki.org/
> [6] http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-March/018935.html
> [7] https://informationcard.net/wiki/index.php/Browser_Integration_WG
>
>
> Channy
> ---------------------
> http://www.linkedin.com/in/channy
> http://www.creation.net
>
> Daum Developers Network & Affiliates
> http://dna.daum.net
>



-- 
Marcos Caceres
http://datadriven.com.au

Received on Tuesday, 24 March 2009 19:00:06 UTC