Re: Using client certificates for signing from Martin Thomson on 2016-02-23 (public-webappsec@w3.org from February 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 23 Feb 2016 07:46:16 -0800
To: Mitar <mmitar@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CABkgnnVnBW82cE8s54jt_tkjLOTa21TF296N82MkR3WiC6KEtA@mail.gmail.com>

On 22 February 2016 at 21:42, Mitar <mmitar@gmail.com> wrote:
>> You don't *need* a certificate to sign.  WebCrypto is enough.
>
> You do. Because your certificate is signed by the state CA. And this
> makes your digital signature legally equivalent to the normal
> signature for almost any purpose. At least some countries in Europe
> have such laws.

You do not.  The private key that you use to sign is not in a
certificate.  If the key pair that was used to generate the
certificate is made available to WebCrypto, that is enough.

Received on Tuesday, 23 February 2016 15:46:48 UTC