W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Using client certificates for signing

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 23 Feb 2016 07:19:59 +0100
To: Mitar <mmitar@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Tim Berners-Lee <timbl@w3.org>
Message-ID: <56CBFA0F.1090907@gmail.com>
On 2016-02-23 07:01, Mitar wrote:
> Hi!
>
> On Mon, Feb 22, 2016 at 8:45 PM, Anders Rundgren
> <anders.rundgren.net@gmail.com> wrote:
>> The first step was removing the support for plugins. The "<keygen>" tag you
>> mention is also considered "evil" and is now about to go:
>> https://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html
>
> This is really sad to read. Instead of improving upon it, we are
> removing things. :-(

IMO, the core problem isn't really the diminishing support for the eID use case
in browsers (it was never that great anyway...), but the inability for third parties
extending the Web in a reasonable and interoperable way.

Unfortunately, this capability seem to be a sore point that so far haven't been
possible to deal with by standardization bodies:
https://lists.w3.org/Archives/Public/public-webappsec/2015Oct/0071.html

Anders


>
>> Nowadays the browser vendors recommend using FIDO alliance schemes which
>> were explicitly designed for the Web: https://fidoalliance.org/
>
> To my understanding the issue here is that you have to trust the
> website/app to correctly link your public key identity with some other
> identity. I think FIDO is not suitable for government use because of
> this. Because why would I trust the website/app to do this linking
> correctly. By government having a CA, they can control issuing of
> public keys and linking them to the identity. In that case
> website/apps are consumers.
>
> FIDO really address different use cases. Issues of how to not be
> tracked, have stronger authentication, and so on. Client-side
> certificates are addressing the question of what if you do want to
> have your identity persistent. If you do want to not be anonymous
> because you are doing your taxes online?
>
> To me it even feels like USA-centric standardization happening here.
>
>> In the latest incarnation of the Swedish "Mobile BankID", you cannot only login
>> (and sign) to hordes of public sector e-services and a bunch of banks, but transfer
>> money to 40-50% of the population using a phone number only. All powered by a
>> single mobile eID.
>
> The issue with those approaches is that they are not standard.
>
> Concretely, I wanted to create a simple petition website where people
> could sign a petition with their state issues certificates. In
> contrast with many other websites for petitions, this one would be
> legally bounding to the government. And in Europe this is pretty
> simple to do because some countries have such certificates.
>
> So one would guess this is easy to do. You make a site, you prompt
> user to sign a piece of text (petition), you store the signature.
> Everyone can verify all signatures (using state CA certificate). You
> count them. You deliver them to your government and you do active
> democracy (instead of liking posts on Facebook).
>
> And then you discover that this is not possible.
>
> Not just that, even browser extensions cannot access those certificates.
>
> This is in my opinion really limiting usefulness of web platform. If
> we are talking about web being used for democracy. Not possible. Let's
> have Facebook like activism, but not real democracy and real
> democratic platforms?
>
>
> Mitar
>
Received on Tuesday, 23 February 2016 06:20:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC