-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: Keith Yuen [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, April 23, 2000 2:14 PM
>
> I am currently involved in an online Internet shopping project. I
> have some questions regarding the digital certificate and signature
> stuffs. We have employed IIS 4.0 as a web server and Oracle 8 as a
> back-end database. Basically, we authenicate users by their user
> name and password as well as a valid digital certificate. We will
> then match the information obtained from the certificate with the
> predefined user profile stored in the database. In addition, SSL is
> used to encrypt data during tranmission. The question is that I am
> not quite sure how to handle the users' digital signature properly.
> Do I need an extra plug-in for my web to force the users to sign
> their message everytime they send an order ? I am surprise that I
> cannot find any web site that make use of digital signature to
> protect against non-repudation. Please direct me if any.
Keith,
yes you do. Out of the box you can read certificate properties using
ASP scripts, however, you want to be able to have the 'client' sign
their input and transmit it to the web server. For that you need
support on the client. That can be done through Java applets.
Another nice idea for non-repudiation of users input is to issue
tokens to clients, which enter their data in a standard form, but
also include a signature value the token can calculate. That would
require support on the web server, and those things are commercially
available. Vasco's tokens can sign and they have add-ons for the
server end to validate the signature.
The question in your scenario is: What do you need the signature for?
In case a client claims he ordered 1000 items instead of 100? If you
need the signature for justification to the client, then a Java
applet may not be the best choice. Since you are SSL encrypting your
channel anyway, there should not be concern for any data alteration
during transport. You can always proof by your server logs that a
certain value was entered (just make sure these logs employ
signatures). A Java applet would be too silent. a) The client is not
conscious that the data was signed, and b) since the mechanism
resides on the client, someone might break it and misuse it. I
personally like the idea of having the client enter a control
variable, so that a) he is aware that he signed/entered it, and b)
there is nothing that be compromised on the client side (since the
control mechanism resides on the server end.
Just some thoughts...
Regards,
Frank
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBOQNRHURKym0LjhFcEQKOQACcCuXw03MCtAaoZFk9K2rDeMv5c+cAoNby
J7NJeSP1janLJDs8PpYrSJMA
=h2uU
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
