- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 11 Mar 2016 10:39:42 +0100
- To: Mitar <mmitar@gmail.com>
- Cc: Crispin Cowan <crispin@microsoft.com>, "timeless@gmail.com" <timeless@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2016-03-10 10:15, Mitar wrote: > Hi! > > On Wed, Mar 9, 2016 at 2:46 AM, Anders Rundgren > <anders.rundgren.net@gmail.com> wrote: >> - the other browser vendors are publicly considering dropping support for >> <keygen> > > In fact I do not care so much about key generation in the browser. I The problem with this is that "virtualization" of credentials is no longer and exception but rather the rule. The FIDO alliance (which have just about the whole "auth industry" as members) is working with this and some of this is already shipping while X.509 client support clearly is going backwards. https://fidoalliance.org/ > just hope they allow importing a certificate into a keystore, Most do. > or access to system's keystore. Which won't happen for reasons already explained. One of the core issues is that HTTPS client-certificate authentication is considered a bad application not only for privacy and UI reasons, but for scalability as well. All new authentication systems (for browsers) build on application-level authentication rather than transport-level ditto. >> - smart cards have never worked particularly well in consumer computers > > Depending who you ask. In Europe there are countries (like Estonia) > where they work pretty well and many people vote online. This isn't aligned with the market in general which uses mobile devices which are (technically) incompatible with the eID vision. > https://e-estonia.com/component/electronic-id-card/ > > Similarly in Slovenia there are state-issued certificates one can use > to work with government online. > >> - practically all eID schemes have already take on other ways dealing with the Web > > Yes, currently they use custom extension to make it work, if this is > what you mean "other ways". They use other non-standard ways to make > it work. What I would like to find is a standard way to make it work. > > https://github.com/open-eid > > How much software instead of one simple HTML form element? > > BTW, I asked already before, can somebody point me to those "other > ways" which really can replace eID schemes in the way that: you get a > 3rd party verifiable statements, and that they are legal bounding in > the same way eID schemes are currently in countries in Europe? I have > not found any legal changes around that. So those claims have not yet > been supported. "Other ways" only means other technical solutions than furnishing signature support in browsers. Some parties have turned to server-signatures which is a moderately thrilling idea but that's where we are today. Sweden uses a system where you send signature requests to a mobile "App". Although slightly inferior, I think this concept is way better than hoping on a unified signature standard in browsers. Why is that? Well, your scheme may appear simple on the surface but if you would go into real standardization you would pretty soon find that consensus would reach zero :-). Personally I don't think signing "Wet" forms is particularly useful; the data should be "Frozen" which is believe is more or less standard for the Web regardless if you simply hit "OK" or actually sign data. Anyway, the EU governments have had 15 years coming up with a proposal but they didn't and now the window of opportunity for such ideas have passed. > What I see is that currently laws in Europe provide untapped > opportunities which cannot be build upon mostly because there is no > simple support for them in browsers. It really feels that this is just > because it is not known much in USA? Europe's efforts in eID aren't that impressing (been into eID since 20 years back); they never succeed creating a standard for cards and middleware. In my new country France, they don't even have a concept of a citizen ID which means that you must manage 5-6 different passwords in order to access all e-gov services! Anders > > > Mitar >
Received on Friday, 11 March 2016 09:40:49 UTC