W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Using client certificates for signing

From: Mitar <mmitar@gmail.com>
Date: Mon, 22 Feb 2016 15:27:51 -0800
Message-ID: <CAKLmikPdC1BhGKJLftvhrfujaqZpOHpNo-MCQFJip_0v9fA6tw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>

I tried some more information about the lack of APIs to access client
certificates from the web applications, and found this position paper:


But not much more. I wonder why there is no API to really do something
useful with those certificates inside web applications. There is
<keygen> HTML tag to generate it, but there is no <keysign> for
example that one could sign the content of the form.

I know that some European countries use state provided certificates to
their citizens, but the lack of APIs in browsers require them to use
special extensions, which complicate their use even more. Is it
possible that the lack of relevant APIs is because client side
certificates have not found mainstream use in industry?

What should be done to move this further? Maybe create <keysign> tag,
maybe allow getting key for signing to be used by web crypto API?


Received on Monday, 22 February 2016 23:28:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC