On Tuesday 10 May 2005 13:09, Anders Rundgren wrote:
> Hi Crypto-Mozillians,
>
> I wonder if any of you guys have any interests in making Mozilla
> setting the standard for on-line signing (a.k.a. WebSign)?
>
> http://web.telia.com/~u18116613/onlinesigstdprop.ppt
I'm unable to read PPT, perhaps you could
cut&paste these things here:
* What is the meaning of the signature?
* What is the document or contract that the
signature is over?
* What is the likely dispute resolution process?
* Who are the parties?
There is a bit of sort of myth that a cryptographic
digital signature is like a human signature. It's not
really much like that at all, and using it without
thought does not work. As evidence of that, we're
still waiting after 3 decades...
If one wants to do human signing in all its generality
then there are a number of barriers that have to be
crossed, more than can be described in a quick
email. OTOH if one has a specific application and
one can reduce the complexities, then something
more useful can be done.
How refined can you make your application?
> In Sweden 400 000 citizens used web-sign to file tax declarations
> using a non-public "bank-standard".
At the core of this would be that the banks have
distributed to each of their clients a private key
of some form? Am I guessing right here? Also,
just as described, this would be considered to
be a fiscal mark within an application set up for
fiscal marks by organisations that do fiscal stuff,
so it sort of works.
But it won't generalise. Consider that the banks
above are standing behind each signature, and
then generalise it to say I buy a house using a
Verisign cert from a person using a Comodo cert
and both of us are in separate countries and the
house happens to be in another. No chance of
that working.
> I have been trying to raise a standardization effort in IETF-PKIX but the
> general belief seems to be that browsers doesn't count for anything
> serious.
That would be a mistake :) It would be an equal
mistake to assume that adding a signing capability
would give us signatures.
> W3C felt the task was too complex and also that such an effort would
> make the web less competitive as you would not be able to compete
> with signature solutions (which BTW is a pure consultant paradise).
Isn't W3C a body of corporates? They would only
be interested in commercial product. They aren't
likely to be that interested in a new product without
a market.
> At the same time just about every e-government is indeed targeting
> the web as the primary input output channel.
Whatever. It's unimportant who's targetting what.
Governments, especially, have passed laws
saying that digsigs are the way of the future,
and look where that got them.
What's important is who's succeeded in getting
lots of working signatures. And how they did
it by narrowing the scope of their signatures to
highly specific things.
iang
--
http://iang.org/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
