Eddy Nigg wrote: > On 11/19/2008 05:52 PM, Anders Rundgren: >> In the meantime, wouldn't it be of some value if Mozilla tried to >> satisfy a PKI- >> related activity that in number of users, already is much bigger than >> S/MIME, >> i.e. the concept of "Web Signing"? > > What is this supposed to be? Perhaps I missed it?
I think this is a reference to the action historically called "form signing" (or more accurately "form post signing") in Mozilla. It's a way to sign the data being sent in to a web server with the user's private key, as the data is being sent. Mozilla implements this with a javascript extension known as "crypto.signtext". I think IE implements it with an ocx (an Active-X module). There doesn't seem to be any standard for a way make this work that is common to all browsers. NSS provides the necessary crypto code. What's missing is the definition of the way (syntax) by which to invoke it in the browser. If I recall correctly, Anders has proposed something for that purpose, and perhaps he has developed some software for that purpose. There are some fundamental issues with this stuff, such as, how does the user know what he's being asked to sign? How does he know that he's not being asked to sign a document conveying the deeds for all his real property to the web site owner? In some countries where digital signatures have the full force of law, just like a real signature, this could be a serious issue. I'm personally wary of efforts that push to make it possible for users to make such legally effective signatures without solving the problems of how to protect the user. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
