Re: Web Sigining in Action

On Tue, Mar 24, 2009 at 9:37 PM, Anders Rundgren
<> wrote:
> Hi Everybody,
> There are simply TONS of issues related to usage of certificates in
> conjunction with a browser.  If you want, you can take a peek at the
> current thread "client certficates unusable?" in mozilla-dev :-)
> I personally find it annoying that there are maybe some 100M USB
> memory sticks in circulation that could have been a wonderful container
> for keys but unfortunately it never happened.  Well, a few US compaines
> tried to create proprietary solutions with SanDisk but (of course) they
> all failed.  Who want to *pay* for a card driver?  It is really
> something that you would like the OS to have from the beginning!
> What does this have to do with Web Signing you may wonder?  Well, IMO we need
> to take this in a step-wise fashion and if we can't even get the "keyring"┬┤right, it seems
> that the rest will be of secondary interest.  That doesn't say I'm not interested in
> Web Signing, I have just put it on the "back-burner" in favor of key storage and
> execution.
> The absence of a useful <keygen> standard is a disaster.  Will the browser-
> vendors be able to address this issue?  I don't expect that.
> Regarding Web Signing a large groups of banks have turned to MSFT to get
> this solved.  I think they are overly optimistic about MSFT's capability and
> interest in this area but it is a good thing that they are trying at least :-)
> Based on 13 years of experience with eID, I believe most of the web "standards"
> in this are will not come from standardization forums because they have proved
> to good for really general purpose stuff, but much less successful for applications
> like Web Sign and <keygen>.   A scheme like my current KeyGen2 would not
> take less than 3 years to standardize and the result would probably be not be
> very useful anyway.  Why?  Because there are too many choices and people
> cannot work under such premisses.  Whatever <keygen> or WebSign we will
> get, it will most certainly be an open source effort rather than a standard.
> What W3C could/should standardize is a way to get XML protocols running
> in a browser and leave the content parts to other groups.  IETF's KEYPROV
> will fail as hard as XKMS did if we ignore the browser connection all the time.

I see. thanks for the history. However, what, if anything, should our
working group do? I don't see anything that is in scope or anything
directed at any one of our specifications. If we are screwing
something up somewhere, then please be clear as to where and we will
do our best to fix it.

Kind regards,

Marcos Caceres

Received on Tuesday, 24 March 2009 21:25:03 UTC