W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Using client certificates for signing

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 22 Feb 2016 16:24:09 -0800
Message-ID: <CABkgnnVQ=CfYY1R9=ZWpBP2-tr3Qizz255i-2rk0g1YPSLusvg@mail.gmail.com>
To: Mitar <mmitar@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
You don't *need* a certificate to sign.  WebCrypto is enough.

On 22 February 2016 at 15:27, Mitar <mmitar@gmail.com> wrote:
> Hi!
>
> I tried some more information about the lack of APIs to access client
> certificates from the web applications, and found this position paper:
>
> https://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers/Using_the_W3C_WebCrypto_API_for_Document_Signing.html
>
> But not much more. I wonder why there is no API to really do something
> useful with those certificates inside web applications. There is
> <keygen> HTML tag to generate it, but there is no <keysign> for
> example that one could sign the content of the form.
>
> I know that some European countries use state provided certificates to
> their citizens, but the lack of APIs in browsers require them to use
> special extensions, which complicate their use even more. Is it
> possible that the lack of relevant APIs is because client side
> certificates have not found mainstream use in industry?
>
> What should be done to move this further? Maybe create <keysign> tag,
> maybe allow getting key for signing to be used by web crypto API?
>
>
> Mitar
>
> --
> http://mitar.tnode.com/
> https://twitter.com/mitar_m
>
Received on Tuesday, 23 February 2016 00:24:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC