W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Alternative proposal for the form signing using client-certificate

From: Mitar <mmitar@gmail.com>
Date: Mon, 7 Mar 2016 00:13:32 -0800
Message-ID: <CAKLmikN3PQFSCUYPwFBK5errRy9BG0FqpEEG+fr_xoaEQ6YGCA@mail.gmail.com>
To: Crispin Cowan <crispin@microsoft.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi!

On Sun, Mar 6, 2016 at 11:46 PM, Crispin Cowan <crispin@microsoft.com> wrote:
> There are 2 problems with this:
> 1. You are asking the user to pick a cert. Don't do that, users don't understand certs.

Only if they have multiple client-certs available.

Also, users who have client-certs know that they have them. Asking
them in the way Firefox asks I think is pretty good. Because they see
the CA name and their name on the certificate. So you are just picking
the identity there, not technical details.

But I agree. If the client has only one certificate (probably in most
cases with government certificates), we should not ask with a prompt.

> 2. The cert is not unique to the asking web site. If you allow certs to be valid for more than one origin, you are inviting phishing attacks.

Can you explain this a bit more? How you are inviting phishing attacks
if the signed content contains the URL where the signing has been
done? You cannot verify signatures manually anyway, so you have to
pass validation through some sort of algorithm and that algorithm can
also check if URL matches the expected URL.


Mitar

-- 
http://mitar.tnode.com/
https://twitter.com/mitar_m
Received on Monday, 7 March 2016 08:14:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC