Graham Leggett wrote:
Ian G wrote:
Um. So these tools organise a signature from a client cert over the
text in the form text box, and then post the signature up to the server?
The crypto.signtext() function is given a text string, and the browser
UI pops up a dialog box that invites the user to read the text, and then
if the users agrees with the content of the text, they are invited to
sign the text with their digital certificate.
The signed text is then placed into a form field, and is returned to the
server on POST. The server can then ask the question "is this text the
text I wanted signed?", followed by "is this text signed by the user
using a cert trusted by the CA(s) I have in my hand?".
For example, the server generates a piece of human readable text along
the lines of:
"The following claim note has been APPROVED for payment:
Claim note: Y / XYZCN / CARGO - Breakage
Paid To: Z
Date: 01-Sep-2008
Amount: (X)
VAT: X
Total: (X)"
If the user agrees with the text, they sign it. If they disagree with
the text, they don't. In this particular application, they can sign a
new declaration that withdraws a previous declaration, so they can
change their mind.
The text between the inverted commas represents the complete and only
thing the user is agreeing to. If it doesn't appear in the text block,
it doesn't get signed.
Thanks for the explanation!
There doesn't seem to be any standard for a way make this work
that is common to all browsers. NSS provides the necessary crypto
code.
This requires a client-certificate HTTPS connection to the webserver
to make it happen?
No, this can happen over an insecure http connection. The connection
between the browser and server has nothing to do with the
crypto.signtext() function.
Typically, you would probably want to run it over an https connection,
but the point is there is no relationship between the signing of the
text and the transport over the network.
There is also no relationship between the CA used to trust the server
connection, and the CA used to trust the user's signature.
Wow, that is nice. So the java script is running the crypto access
completely separately from the HTTPS stuff?
OK, then, how does the browser manage the signed text? Store it
somewhere? Verify it somehow?
Without some sort of management, I'd worry that the system would not
survive scrutiny.
I'm personally wary of efforts that push to make it possible for
users to
make such legally effective signatures without solving the problems
of how
to protect the user.
Plus, they are generally not necessary. A digital signature isn't a
signature, whereas a checkbox with the words "I agree" is.
In law in the jurisdiction in which the application above runs, a
digital signature has the same legal weight in law as a paper signature.
OK, and is it a technologically neutral law? If so, then a checkbox /
agreement will work fine.
Or is it the European "qualified" thing, in which case, we enter a world
of pain? Or, even worse, in Germany, where they take the "qualified"
thing seriously, and suffer inordinately.
A checkbox with the words "I agree" is not a signature.
A check in a box can be an intent to agree, the check is a mark of
agreement, ergo it is a signature, and of course digital.
What it is not is a manuscript signature.
The differences are subtle, sure, but important.
You can define in law a contract which becomes enforceable as soon as
somebody performs a specific action. That action might be parking your
car in a parking space (and in the process you agree to the terms on the
sign at the entrance to the car park, if you disagree, don't park
there), or that action might be opening the seal on some packaging (if
you open this package you agree to the following software agreement, if
you disagree, don't open the package), or that action might be a
checkbox saying "I agree" (if you disgree, don't click on "I agree").
Right, precisely. Checkboxes can do agreements fine. Whether you need
more than that depends on the circumstances, somewhat.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto