W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Using client certificates for signing

From: Ángel González <angel@16bits.net>
Date: Mon, 29 Feb 2016 23:44:52 +0100
Message-ID: <1456785892.12284.10.camel@16bits.net>
To: public-webappsec@w3.org
Mitar wrote:
> Hi!
> 
> On Thu, Feb 25, 2016 at 3:20 PM, Ángel González <angel@16bits.net>
> wrote:
> > 
> > I was thinking in a list in your certificate window, where you
> > could
> > input either exact domains or wildcards (eg. *.gov.$CC)
> But this has a similar problem to current solutions: you cannot build
> an ecosystem around those certificates. My running example is me
> wanting to create a petition where I would like people to sign it
> with their certificates. I would not be able to do that because it
> would not be running under the .gov website.

The user would need to add your domain to the list of websites allowed
to use that certificate. The *.gov.$CC was an example for wildcard
support.



> But maybe an interesting thing would be that sites could request once
> a permission to access this API and user would be prompted. So
> something like installing the plugin for Google Hangouts. If user
> says no, then the site does not have access to the API. So instead of
> prompting for signing itself, you prompt for accessing the signing
> API in general.

No. There may be several certificates, each with its own set of
permissions.
I may only wish to enable a certificate issued by my employer to be
accessed by their webpage, but support a government ID certificate to
be used by several official websites.
Or in a shared computer (and user account), one family member allowing
signing doesn't mean allowing signing for everyone.
Received on Monday, 29 February 2016 22:45:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC