W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Using client certificates for signing

From: Mitar <mmitar@gmail.com>
Date: Mon, 22 Feb 2016 22:01:30 -0800
Message-ID: <CAKLmikMFC-oyx_h770rdyL1OCfzJgPGBnAtu64M1MX6sRD9pNQ@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Tim Berners-Lee <timbl@w3.org>

On Mon, Feb 22, 2016 at 8:45 PM, Anders Rundgren
<anders.rundgren.net@gmail.com> wrote:
> The first step was removing the support for plugins. The "<keygen>" tag you
> mention is also considered "evil" and is now about to go:
> https://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html

This is really sad to read. Instead of improving upon it, we are
removing things. :-(

> Nowadays the browser vendors recommend using FIDO alliance schemes which
> were explicitly designed for the Web: https://fidoalliance.org/

To my understanding the issue here is that you have to trust the
website/app to correctly link your public key identity with some other
identity. I think FIDO is not suitable for government use because of
this. Because why would I trust the website/app to do this linking
correctly. By government having a CA, they can control issuing of
public keys and linking them to the identity. In that case
website/apps are consumers.

FIDO really address different use cases. Issues of how to not be
tracked, have stronger authentication, and so on. Client-side
certificates are addressing the question of what if you do want to
have your identity persistent. If you do want to not be anonymous
because you are doing your taxes online?

To me it even feels like USA-centric standardization happening here.

> In the latest incarnation of the Swedish "Mobile BankID", you cannot only login
> (and sign) to hordes of public sector e-services and a bunch of banks, but transfer
> money to 40-50% of the population using a phone number only. All powered by a
> single mobile eID.

The issue with those approaches is that they are not standard.

Concretely, I wanted to create a simple petition website where people
could sign a petition with their state issues certificates. In
contrast with many other websites for petitions, this one would be
legally bounding to the government. And in Europe this is pretty
simple to do because some countries have such certificates.

So one would guess this is easy to do. You make a site, you prompt
user to sign a piece of text (petition), you store the signature.
Everyone can verify all signatures (using state CA certificate). You
count them. You deliver them to your government and you do active
democracy (instead of liking posts on Facebook).

And then you discover that this is not possible.

Not just that, even browser extensions cannot access those certificates.

This is in my opinion really limiting usefulness of web platform. If
we are talking about web being used for democracy. Not possible. Let's
have Facebook like activism, but not real democracy and real
democratic platforms?


Received on Tuesday, 23 February 2016 06:02:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC