W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Using client certificates for signing

From: Mitar <mmitar@gmail.com>
Date: Tue, 23 Feb 2016 22:52:46 -0800
Message-ID: <CAKLmikNNg5uu4rdyO9GAs96Bac2Ey1UBCO+hMR87DPJR07YJPQ@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>

On Mon, Feb 22, 2016 at 10:51 PM, Anders Rundgren
<anders.rundgren.net@gmail.com> wrote:
>> But with web crypto, I think this position paper is really on point:
>> https://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers/Using_the_W3C_WebCrypto_API_for_Document_Signing.html
> No, it has been rejected an IMO for good reasons:
> http://webpki.org/papers/permissions.pdf

I beg to differ. I checked the link you provided and I have not been convinced.

Even if user would be signing unknown content, the prompt would still
be reasonable only in some contexts. If user would get the prompt in
the unexpected context, it is easy to cancel it. If user is on the
e-government website doing taxes, it can assume that they are signing
trustworthy document. Without having to expose their keys in any way.
They already have to trust the website to some degree (that they will
store the signature). Moreover, the signature made with the
client-certificate can be independently verified.

The proposal that there could be a way to sign a form (is this so
strange a requirement, you sign so many forms in real-world, why there
could not be an element to sign a form?) browser could even display
the content being signed.

Also, there could be a hook for browser extensions to intercept
signing and do even extra check, render content in smart ways to
display what exactly is being signed and so on. We could leave to the
community to further improve signing experience.

> If you are looking for a short-term remedy, FIDO alliance, Server signing,
> and Identity provider schemes appears to be your best bet.

I do not see how any of proposed alternatives provides this features?
How exactly would any of those allow one to use client-side
certificates provided by the government?

> The signature laws have recently been "adjusted" to support server signatures since
> the smart card based vision didn't really pan out.

And mostly because of the lack of support in browsers. Governments
even managed to solve the problem of distributing the keys widely.

Can you please provide references to those changes in laws? I am
really curious how they managed to describe viable alternatives.


Received on Wednesday, 24 February 2016 06:53:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC