Ian G wrote:
Nelson Bolyard wrote:
Eddy Nigg wrote:
On 11/19/2008 05:52 PM, Anders Rundgren:
In the meantime, wouldn't it be of some value if Mozilla tried to
satisfy a PKI-
related activity that in number of users, already is much bigger than
S/MIME,
i.e. the concept of "Web Signing"?
What is this supposed to be? Perhaps I missed it?
I think this is a reference to the action historically called "form
signing"
(or more accurately "form post signing") in Mozilla. It's a way to
sign the
data being sent in to a web server with the user's private key, as the
data
is being sent. Mozilla implements this with a javascript extension known
as "crypto.signtext". I think IE implements it with an ocx (an Active-X
module).
Um. So these tools organise a signature from a client cert over the
text in the form text box, and then post the signature up to the server?
Yes, more or less. There are several approaches in proprietary products.
With Netscape's form signing the web application had to generate simple
HTML from the form content which was displayed in a separate
popup-window. I vaguely remember that the HTML displayer was restricted
to avoid white on white or similar faking. The simple HTML blob was then
signed (PKCS#7).
There doesn't seem to be any standard for a way make this work
that is common to all browsers. NSS provides the necessary crypto code.
This requires a client-certificate HTTPS connection to the webserver to
make it happen?
No.
This is a business problem not a tech problem.
Exactly!
Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
