- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Tue, 24 Mar 2009 21:37:52 +0100
- To: <marcosc@opera.com>, "channy" <channy@gmail.com>
- Cc: "WebApps HG" <public-webapps@w3.org>, "Jungshik Shin" <jungshik@google.com>, "Gen Kanai" <gen@mozilla.com>, "Ian Hickson" <ian@hixie.ch>, "Thomas Roessler" <tlr@w3.org>
Hi Everybody, There are simply TONS of issues related to usage of certificates in conjunction with a browser. If you want, you can take a peek at the current thread "client certficates unusable?" in mozilla-dev :-) I personally find it annoying that there are maybe some 100M USB memory sticks in circulation that could have been a wonderful container for keys but unfortunately it never happened. Well, a few US compaines tried to create proprietary solutions with SanDisk but (of course) they all failed. Who want to *pay* for a card driver? It is really something that you would like the OS to have from the beginning! What does this have to do with Web Signing you may wonder? Well, IMO we need to take this in a step-wise fashion and if we can't even get the "keyring"´right, it seems that the rest will be of secondary interest. That doesn't say I'm not interested in Web Signing, I have just put it on the "back-burner" in favor of key storage and execution. The absence of a useful <keygen> standard is a disaster. Will the browser- vendors be able to address this issue? I don't expect that. Regarding Web Signing a large groups of banks have turned to MSFT to get this solved. I think they are overly optimistic about MSFT's capability and interest in this area but it is a good thing that they are trying at least :-) Based on 13 years of experience with eID, I believe most of the web "standards" in this are will not come from standardization forums because they have proved to good for really general purpose stuff, but much less successful for applications like Web Sign and <keygen>. A scheme like my current KeyGen2 would not take less than 3 years to standardize and the result would probably be not be very useful anyway. Why? Because there are too many choices and people cannot work under such premisses. Whatever <keygen> or WebSign we will get, it will most certainly be an open source effort rather than a standard. What W3C could/should standardize is a way to get XML protocols running in a browser and leave the content parts to other groups. IETF's KEYPROV will fail as hard as XKMS did if we ignore the browser connection all the time. Best regards Anders ----- Original Message ----- From: "Marcos Caceres" <marcosc@opera.com> To: "channy" <channy@gmail.com> Cc: "WebApps HG" <public-webapps@w3.org>; "Jungshik Shin" <jungshik@google.com>; "Gen Kanai" <gen@mozilla.com>; "Anders Rundgren" <anders.rundgren@telia.com>; "Ian Hickson" <ian@hixie.ch> Sent: Tuesday, March 24, 2009 19:59 Subject: Re: Web Sigining in Action 2009/3/22 Channy Yun <channy@gmail.com>: > Dear Webapps W/G members, > > This is Channy Yun, one of web standards evangelists in Korea. I'm so glad to introduce myself in > this working group. I want to get advice from you about as following my issue. Please don't > hesitate to write your thought. > > Motivation > As someone knows, Korea's browser monoculture has prevented tech innovations and user's choice > [1]. It was caused by wrong implementation of digital signature by Korean govenment's the law and > national PKI system. Its technique has been based on browser plugin as like Active X and Java > applet, so it also made many security problems on user's PC. Nowadays 15 million personal > certificates were issued and they are used in e-banking, trading and governmental sites to valid > user and transaction in Korea. > rght > Similarly some of European countries also had national PKI system including Denmark [2], Spain and > etc. Denmark's system was opensourced [3], but it is also based on browser plugins. It were > dominated by VeriSign most of commercial market as like private CA service with issuing personal > certificate and transaction with digital signature. > right > Many countries want to national CA and offer their service to citizen with assurance by law[4]. So > I thought it needed browser-based web signing model by bad example of Korea. > right > History > I and some people suggested this issue to WHATWG because it was solved by browser vendors. Anders > Rundgren also did own model of WASP - signing data in browser sessions[5] and I did adding digital > signature in <form> processing in HTML5. > right > As following is history of this issue. > > http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-September/thread.html#7246 > http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-October/thread.html#7573 > http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-November/thread.html#7592 > http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/015513.html > http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/thread.html#15522 > http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-March/thread.html#18919 > > Ian recommended us to continue this discussion in Webapps W/G[6]. Andres also has tried another > effort to solve issue[7]. > can you please send us a better summary. > Rebuilding of Web Signing Profile > Maybe this long history was recognized by leading people of this group. I don’t convince whether > the activity of web signing profile was made by this purpose or not. But, it seems to integrate > with Widget’s digital signature and there is no action further. > I dont understand. can you please make your comments against the current editor's draft of our spec? > As you know, the technology situation was very changed in time raising this issue. Ajax was born > and there are many web applications based on open standards and Web APIs. > ok > So I want for you to consider this issue in this working group with new baseline and for to > browser vendors to join this issue quickly before many countries commit a fault as like Korea. > Brower’s functions as like crypto.signText or IE’s CAPICOM dll were deprecated in right now. So it > is essential making new standard and implementation them. > I'm not sure what you wan us to do. > > Reference > ------ > [1] http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s > [2] http://www.virk.dk/digital_signatur > [3] http://www.openoces.org/index.html > [4] https://wiki.mozilla.org/CA:Schedule > [5] http://webpki.org/ > [6] http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-March/018935.html > [7] https://informationcard.net/wiki/index.php/Browser_Integration_WG > > > Channy > --------------------- > http://www.linkedin.com/in/channy > http://www.creation.net > > Daum Developers Network & Affiliates > http://dna.daum.net > -- Marcos Caceres http://datadriven.com.au
Received on Tuesday, 24 March 2009 20:38:28 UTC