Re: Using client certificates for signing

On 2016-02-23 07:26, Mitar wrote:
> Hi!
>
> On Mon, Feb 22, 2016 at 10:19 PM, Anders Rundgren
> <anders.rundgren.net@gmail.com> wrote:
>> IMO, the core problem isn't really the diminishing support for the eID use
>> case in browsers (it was never that great anyway...), but the inability for third
>> parties extending the Web in a reasonable and interoperable way.
>
> But with web crypto, I think this position paper is really on point:
>
> https://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers/Using_the_W3C_WebCrypto_API_for_Document_Signing.html

No, it has been rejected an IMO for good reasons:
http://webpki.org/papers/permissions.pdf


> How hard it would be to add a way to ask a browser for client signing
> key? With exportable bit set to off. You would ask for that, browser
> would prompt to user to confirm it, user would confirm it, you would
> sign.
>
> Or we could have <keysignature> HTML from element which would just add
> a signature of the form body when submitting it to the server. And
> browser could ask the user if they want to sign this form with this
> content before submitting.

IMHO, this is an "Application" while the browser is like an "Operating System".

As a platform architect I strongly believe that Applications should (as much as
is technically possible...) reside outside of Platforms.  What's called for is a
minute API allowing the Web to talk to a gazillion of currently not particularly
standardized applications, including signing with eID.

If you are looking for a short-term remedy, FIDO alliance, Server signing, and
Identity provider schemes appears to be your best bet.  The signature laws have
recently been "adjusted" to support server signatures since the smart card based
vision didn't really pan out.

Anders


>
>
> Mitar
>

Received on Tuesday, 23 February 2016 06:51:55 UTC