W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Using client certificates for signing

From: Mitar <mmitar@gmail.com>
Date: Thu, 25 Feb 2016 23:30:39 -0800
Message-ID: <CAKLmikME6HRNfGj09U-E8ugWScjdiRiCs5-VKJnbB5NxPb+CFQ@mail.gmail.com>
To: Ángel González <angel@16bits.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi!

On Thu, Feb 25, 2016 at 3:20 PM, Ángel González <angel@16bits.net> wrote:
> I was thinking in a list in your certificate window, where you could
> input either exact domains or wildcards (eg. *.gov.$CC)

But this has a similar problem to current solutions: you cannot build
an ecosystem around those certificates. My running example is me
wanting to create a petition where I would like people to sign it with
their certificates. I would not be able to do that because it would
not be running under the .gov website.

But maybe an interesting thing would be that sites could request once
a permission to access this API and user would be prompted. So
something like installing the plugin for Google Hangouts. If user says
no, then the site does not have access to the API. So instead of
prompting for signing itself, you prompt for accessing the signing API
in general.


Mitar

-- 
http://mitar.tnode.com/
https://twitter.com/mitar_m
Received on Friday, 26 February 2016 07:31:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC