[whatwg] Lack of standard for digital signatures [was Joe Clark's Criticisms of the WHATWG and HTML 5] from Channy Yun on 2006-10-31 (public-whatwg-archive@w3.org from October 2006)

From: Channy Yun <channy@creation.net>
Date: Wed, 1 Nov 2006 02:17:15 +0900
Message-ID: <3586624e0610310917w650ae2cai3492e1636a6a1aeb@mail.gmail.com>

Anders,

As you said, we may not get sufficient informations to standardize
digital signature. But, in case of Korea, I'll sufficiently give them.
The spec. and interface are almost standardized by governmental rules
to all vendors.

In Korea, the own cryptic algorithm has been encouraged, so vendors
couldn't use browser-implemented things such as DES. This is first
reason to use activex controls.

Second is for digital signature. Legally, all data must be signed by
user's key. When the money is sent, it needs to know who sends the
money. So activex control has almost same user interface with
browser's certificate manager.

When an user enters an internet banking site, activex are embedded.
User's data by action go to activex control and are encrypted by SEED
and signed by user's key. Encrypted and signed data gives hidden form
in web page again. When an user submit it, the data were transferred
to web server. The server-side application decrypts and verifies the
data and proceeds proper actions. Web server transfers the web page by
requested actions.

First thing is not standardized. National algorithm such as SEED or
Camella is problems between browser vendor and its governments. Second
can be done such as (re)issue and revocation of personal certificates,
the digital signature such as old crypto.sign.Text().

As following is one of this efforts.
http://middleware.internet2.edu/pki06/proceedings/rundgren-websigning.ppt

Channy

On 10/31/06, Anders Rundgren <anders.rundgren at telia.com> wrote:
> >> >The use of proprietary mechanisms (mostly ActiveX controls) for
> >> >digital signatures is common in Korean sites as well, including
> >> >Korean government sites.
>
> >> That's right. They sure are proprietary; I was not even able to get
> >> the Korean e-goverment signature spec since it is "secret"!
>
> >Korean mechanism is same with general pki's. Its structure has been
> >followed by pki standards and browser user-interface for certificates.
> >The different things has own 128bit cryptography algorithm so called
> >SEED and adds digital signature for messages to be legal authorizing.
> >This spec is not secret and gives in http://www.rootca.or.kr/maine.jsp
>
> Dear Channy,
>
> I may have been careless but I could not find the spec of the activeX control
> (or similar) that is what I refer to as the proprietary solution.
>
> I may also have confused Korea with Hongkong who definitely claimed that
> their scheme requires an NDA.  The same goes for the Australian scheme
> which is not public.
>
> BTW, the Swedish and Norwegian government's signature systems are also
> secret since they are developed by banks.
>
> Anders
>
>

Received on Tuesday, 31 October 2006 09:17:15 UTC