W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Using client certificates for signing

From: Mitar <mmitar@gmail.com>
Date: Mon, 22 Feb 2016 22:26:50 -0800
Message-ID: <CAKLmikP6+=aYcA2Rap==Wy4AJ1AMC6Ch9xdP1fdXtpbaNoKGKQ@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Tim Berners-Lee <timbl@w3.org>
Hi!

On Mon, Feb 22, 2016 at 10:19 PM, Anders Rundgren
<anders.rundgren.net@gmail.com> wrote:
> IMO, the core problem isn't really the diminishing support for the eID use
> case in browsers (it was never that great anyway...), but the inability for third
> parties extending the Web in a reasonable and interoperable way.

But with web crypto, I think this position paper is really on point:

https://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers/Using_the_W3C_WebCrypto_API_for_Document_Signing.html

How hard it would be to add a way to ask a browser for client signing
key? With exportable bit set to off. You would ask for that, browser
would prompt to user to confirm it, user would confirm it, you would
sign.

Or we could have <keysignature> HTML from element which would just add
a signature of the form body when submitting it to the server. And
browser could ask the user if they want to sign this form with this
content before submitting.


Mitar

-- 
http://mitar.tnode.com/
https://twitter.com/mitar_m
Received on Tuesday, 23 February 2016 06:27:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC