W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Alternative proposal for the form signing using client-certificate

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 11 Mar 2016 10:39:42 +0100
To: Mitar <mmitar@gmail.com>
Cc: Crispin Cowan <crispin@microsoft.com>, "timeless@gmail.com" <timeless@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <56E2925E.3000305@gmail.com>
On 2016-03-10 10:15, Mitar wrote:
> Hi!
> On Wed, Mar 9, 2016 at 2:46 AM, Anders Rundgren
> <anders.rundgren.net@gmail.com> wrote:
>> - the other browser vendors are publicly considering dropping support for
>> <keygen>
> In fact I do not care so much about key generation in the browser. I

The problem with this is that "virtualization" of credentials is no longer
and exception but rather the rule.   The FIDO alliance (which have just
about the whole "auth industry" as members) is working with this and some of
this is already shipping while X.509 client support clearly is going backwards.

> just hope they allow importing a certificate into a keystore,

Most do.

> or access to system's keystore.

Which won't happen for reasons already explained.

One of the core issues is that HTTPS client-certificate authentication
is considered a bad application not only for privacy and UI reasons,
but for scalability as well.  All new authentication systems (for browsers)
build on application-level authentication rather than transport-level ditto.

>> - smart cards have never worked particularly well in consumer computers
> Depending who you ask. In Europe there are countries (like Estonia)
> where they work pretty well and many people vote online.

This isn't aligned with the market in general which uses mobile devices which are
(technically) incompatible with the eID vision.

> https://e-estonia.com/component/electronic-id-card/
> Similarly in Slovenia there are state-issued certificates one can use
> to work with government online.
>> - practically all eID schemes have already take on other ways dealing with the Web
> Yes, currently they use custom extension to make it work, if this is
> what you mean "other ways". They use other non-standard ways to make
> it work. What I would like to find is a standard way to make it work.
> https://github.com/open-eid
> How much software instead of one simple HTML form element?
> BTW, I asked already before, can somebody point me to those "other
> ways" which really can replace eID schemes in the way that: you get a
> 3rd party verifiable statements, and that they are legal bounding in
> the same way eID schemes are currently in countries in Europe? I have
> not found any legal changes around that. So those claims have not yet
> been supported.

"Other ways" only means other technical solutions than furnishing signature
support in browsers.  Some parties have turned to server-signatures which
is a moderately thrilling idea but that's where we are today.

Sweden uses a system where you send signature requests to a mobile "App".
Although slightly inferior, I think this concept is way better than hoping
on a unified signature standard in browsers.  Why is that?  Well, your scheme
may appear simple on the surface but if you would go into real standardization
you would pretty soon find that consensus would reach zero :-).

Personally I don't think signing "Wet" forms is particularly useful; the data
should be "Frozen" which is believe is more or less standard for the Web
regardless if you simply hit "OK" or actually sign data.

Anyway, the EU governments have had 15 years coming up with a proposal but
they didn't and now the window of opportunity for such ideas have passed.

> What I see is that currently laws in Europe provide untapped
> opportunities which cannot be build upon mostly because there is no
> simple support for them in browsers. It really feels that this is just
> because it is not known much in USA?

Europe's efforts in eID aren't that impressing (been into eID since 20 years
back); they never succeed creating a standard for cards and middleware.

In my new country France, they don't even have a concept of a citizen ID
which means that you must manage 5-6 different passwords in order to access
all e-gov services!


> Mitar
Received on Friday, 11 March 2016 09:40:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC