Nelson Bolyard wrote:
Eddy Nigg wrote:
On 11/19/2008 05:52 PM, Anders Rundgren:
In the meantime, wouldn't it be of some value if Mozilla tried to
satisfy a PKI-
related activity that in number of users, already is much bigger than
S/MIME,
i.e. the concept of "Web Signing"?
What is this supposed to be? Perhaps I missed it?
I think this is a reference to the action historically called "form signing"
(or more accurately "form post signing") in Mozilla. It's a way to sign the
data being sent in to a web server with the user's private key, as the data
is being sent. Mozilla implements this with a javascript extension known
as "crypto.signtext". I think IE implements it with an ocx (an Active-X
module).
Um. So these tools organise a signature from a client cert over the
text in the form text box, and then post the signature up to the server?
There doesn't seem to be any standard for a way make this work
that is common to all browsers. NSS provides the necessary crypto code.
This requires a client-certificate HTTPS connection to the webserver to
make it happen?
What's missing is the definition of the way (syntax) by which to invoke it
in the browser. If I recall correctly, Anders has proposed something for
that purpose, and perhaps he has developed some software for that purpose.
Right, Anders pointed me to this in private email:
http://upi-using-service.webpki.org
http://webpki.org/
There are some fundamental issues with this stuff, such as, how does the
user know what he's being asked to sign? How does he know that he's not
being asked to sign a document conveying the deeds for all his real property
to the web site owner?
Right.
In some countries where digital signatures have the
full force of law, just like a real signature, this could be a serious issue.
And in other countries, how do we know that it is a sign of intent?
I'm personally wary of efforts that push to make it possible for users to
make such legally effective signatures without solving the problems of how
to protect the user.
Plus, they are generally not necessary. A digital signature isn't a
signature, whereas a checkbox with the words "I agree" is.
Well, my first thought was: this can't work, for all the normal reasons
why digital signatures don't work. My second thought was, gee, I need
it in a project I'm working on. Oops!
Hmmm... I wonder what my third thought will be...
Seriously though, I can see lots of applications for it, but the
infrastructure required makes this less of a tech concept and more of a
legal / document management management concept is missing in most
contexts. This is a business problem not a tech problem.
iang
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
