Ian G wrote:
This requires a client-certificate HTTPS connection to the webserver
to make it happen?
No, this can happen over an insecure http connection. The connection
between the browser and server has nothing to do with the
crypto.signtext() function.
Typically, you would probably want to run it over an https connection,
but the point is there is no relationship between the signing of the
text and the transport over the network.
There is also no relationship between the CA used to trust the server
connection, and the CA used to trust the user's signature.
Wow, that is nice. So the java script is running the crypto access
completely separately from the HTTPS stuff?
Yes.
OK, then, how does the browser manage the signed text?
It just sends the PKCS#7 blob along with the form. The server-side
application has to validate the signature and parse the input data from
the simple HTML which was signed.
Store it somewhere? Verify it somehow?
Nope.
Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
