Re: signing text in browser with client certificate

Hash: SHA1

I found the following within the document [D1] »Web Cryptography API« (W3C
Working Draft 13 September 2012), chapter 4.4 (Out of scope):

"This API, while allowing applications to generate, retrieve, and manipulate [..]"

As far as I can see this is also the latest published version. As I understand
from the document it does not define the way of implementation itself. Therefore
your question regarding obstacles is indeed a valid one!

I think it is mandatory to ensure that the user agent does not get compromised
(a lot of techniques are required here) and the local certs are kept safe by all
means (even when the user agent was compromised). I think a special UI is not
necessary here but an extension of configuration menus, maybe a generator for
certs, a checker/validator, and something like that. Maybe this could look a
little bit like the OpenPGP menu and config stuff for e.g. in Thunderbird. This
is for the client-side implementation.

Finally I recommend you to read chapters 5 (Security considerations), 6 (Privacy
considerations), 9 (Algorithm dictionary) since one should not use arbitrary
algorithms and chapter 10ff. (Key interface). The chapters following 10 are all
more or less related to the interface. Chapter 23 (Algorithms) covers the used
algorithms and chapter 25 (JavaScript Example Code) contains an example in
This is for the server-side implementation.

I hope that was helpful to you! ;-)

[D1] http://www.w3.oorg/TR/2012/WD-WebCryptoAPI-20120913/#scope-out-of-scope

Kind regards

Mathias Hollstein
Non-Governmental Intelligence Organization
Frankfurt, Germany

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Received on Saturday, 29 December 2012 12:17:40 UTC