W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Alternative proposal for the form signing using client-certificate

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 12 Mar 2016 07:09:37 +0100
To: Mitar <mmitar@gmail.com>
Cc: Crispin Cowan <crispin@microsoft.com>, "timeless@gmail.com" <timeless@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <56E3B2A1.5090208@gmail.com>
On 2016-03-12 06:42, Mitar wrote:
> Hi!
>
> On Fri, Mar 11, 2016 at 9:27 PM, Anders Rundgren
> <anders.rundgren.net@gmail.com> wrote:
>> In my old country (Sweden) I can log in to (almost) any of the national
>> banks
>> (assuming I have an account there), to all e-government services as well as
>> sending money in real-time only using a phone number as account identifier,
>> all based on Mobile BankID which is an "App" + X.509 certificate. S/MIME?
>> N/A (which says something about the state of eID "standardization").
>
> Can you sign legally bound online petitions? Can you yourself develop
> a platform where people could sign such petitions?

In theory you can but due to the general awkwardness of the Swedish eID
(closed, contract-based, paying relying parties), it won't happen.
Its only purpose was/is streamlining citizens access to existing services.

Note: I was always very much against a closed eID but these days I only work with
eID technology and let other folks deal with businesses models, and legality.

When it comes to legality I believe the eID bandwagon got rolling (it is?) the wrong way.
No other important technology needed a legislation _before_ it was established,
be it cars, nuclear energy, or the Web.  In the real world case law has proved
to be more practical like using DNA for forensics.  That is, it is up to a court
to decide if a signature is legally binding or not.  Most of the eID folks who
talk about legally binding signatures tend to focus on edge-cases like wills,
selling your house etc. rather than the mundane (boring) day-to-day transactions
which are really worth casting in IT.

I don't know if it makes you (or anybody else) happier but the 1Bn+ "secure
payments cards" does after 20 years still not work on the Web which is why
they print the userid/password (PAN + CVC) on the surface to enable usage in
what the payment industry calls "Card Not Present" operations!

Apparently there is a major "Impedance Mismatch" between different parties
in this space...why would eID be any different?

Anders
Received on Saturday, 12 March 2016 06:10:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC