W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Using client certificates for signing

From: Mitar <mmitar@gmail.com>
Date: Tue, 23 Feb 2016 22:55:34 -0800
Message-ID: <CAKLmikOgXp=WxRqgLHhBJ1jtVwVD2aPjOBgUgLP_+cXqGW2c5Q@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>

On Tue, Feb 23, 2016 at 7:46 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 22 February 2016 at 21:42, Mitar <mmitar@gmail.com> wrote:
>>> You don't *need* a certificate to sign.  WebCrypto is enough.
>> You do. Because your certificate is signed by the state CA. And this
>> makes your digital signature legally equivalent to the normal
>> signature for almost any purpose. At least some countries in Europe
>> have such laws.
> You do not.  The private key that you use to sign is not in a
> certificate.  If the key pair that was used to generate the
> certificate is made available to WebCrypto, that is enough.

Oh, you are objecting to my terminology, but it seems that we agree
otherwise. So you are agreeing that exposing the private key of the
certificate's key pair to WebCrypto would be one of ways to address
this? I agree. So how can we this available?


Received on Wednesday, 24 February 2016 06:56:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC