Re: Web Sigining in Action

Dear all,

I agreed Andres said that it is unclear where a certain issue belong apps or
not. I means everyone didn't care about this while many industrial vendors
have made tireless same plugins in web space. Although Anders indicated
there were less certificate applications, there are 14 million users in
Korea and many countries have considered public CA area in web browser.
Japan made own cryptographic algorithm called Camella with Nokia pushing it
to all browsers. It means Japan is interested in offering public CA to all
citizen. European I said.

For several years, innovation from web browsers changed world. It's time to
action not to only thinking and I believe that html5 and webapps w/g can do
this. Frankly speaking, my suggestion is very old, but it's cost-effective
for existing vendors both web browser and plugin based CAs.



Daum Developers Network & Affiliates

On Wed, Mar 25, 2009 at 7:00 AM, Anders Rundgren

> I think a problem is that it is unclear where a certain issue belong.
> IMO all of the stuff I wrote about belong to the app-area but some people
> think it is about security only.
> XML protocols in browsers is an app, at least as I see it.
> Anders
> ----- Original Message -----
> From: "Marcos Caceres" <>
> To: "Anders Rundgren" <>
> Cc: "channy" <>; "WebApps HG" <>;
> "Jungshik Shin"
> <>; "Gen Kanai" <>; "Ian Hickson"
> <>; "Thomas
> Roessler" <>
> Sent: Tuesday, March 24, 2009 22:24
> Subject: Re: Web Sigining in Action
> On Tue, Mar 24, 2009 at 9:37 PM, Anders Rundgren
> <> wrote:
> > Hi Everybody,
> > There are simply TONS of issues related to usage of certificates in
> > conjunction with a browser. If you want, you can take a peek at the
> > current thread "client certficates unusable?" in mozilla-dev :-)
> >
> > I personally find it annoying that there are maybe some 100M USB
> > memory sticks in circulation that could have been a wonderful container
> > for keys but unfortunately it never happened. Well, a few US compaines
> > tried to create proprietary solutions with SanDisk but (of course) they
> > all failed. Who want to *pay* for a card driver? It is really
> > something that you would like the OS to have from the beginning!
> >
> > What does this have to do with Web Signing you may wonder? Well, IMO we
> need
> > to take this in a step-wise fashion and if we can't even get the
> "keyring"´right, it seems
> > that the rest will be of secondary interest. That doesn't say I'm not
> interested in
> > Web Signing, I have just put it on the "back-burner" in favor of key
> storage and
> > execution.
> >
> > The absence of a useful <keygen> standard is a disaster. Will the
> browser-
> > vendors be able to address this issue? I don't expect that.
> >
> > Regarding Web Signing a large groups of banks have turned to MSFT to get
> > this solved. I think they are overly optimistic about MSFT's capability
> and
> > interest in this area but it is a good thing that they are trying at
> least :-)
> >
> > Based on 13 years of experience with eID, I believe most of the web
> "standards"
> > in this are will not come from standardization forums because they have
> proved
> > to good for really general purpose stuff, but much less successful for
> applications
> > like Web Sign and <keygen>. A scheme like my current KeyGen2 would not
> > take less than 3 years to standardize and the result would probably be
> not be
> > very useful anyway. Why? Because there are too many choices and people
> > cannot work under such premisses. Whatever <keygen> or WebSign we will
> > get, it will most certainly be an open source effort rather than a
> standard.
> >
> > What W3C could/should standardize is a way to get XML protocols running
> > in a browser and leave the content parts to other groups. IETF's KEYPROV
> > will fail as hard as XKMS did if we ignore the browser connection all the
> time.
> I see. thanks for the history. However, what, if anything, should our
> working group do? I don't see anything that is in scope or anything
> directed at any one of our specifications. If we are screwing
> something up somewhere, then please be clear as to where and we will
> do our best to fix it.
> Kind regards,
> Marcos
> --
> Marcos Caceres

Received on Thursday, 26 March 2009 18:50:35 UTC