On Fri, 17 May 2002, Andre John Cruz wrote:
>
> OK, so how can a web-based program sign documents/email using a private key
> that it has no access to if this is the case?
>
> does that mean i have to come up with a platform-specific (or at least Java
> desktop-based) application to do the signing?
>
yep, the java app that gets loaded from the website must have access to
the desktop computer's drive where it keeps the user's private key. the
private key in turn should also be encrypted by a symmetric cipher when
stored on disk, so the java app must ask the passphrase from the user so
it can decrypt and use the private key. to make it harder for trojans
(like BO2K) to 'sniff' at the passphrase typed by the user at the
keyboard, maybe you can create an on-screen keyboard where the user can
click the passphrase characters.
also, the website must be secured by an SSL certificate to prevent
man-in-the-middle tampering of the java code. and you could sign the java
app as an added protection so crackers getting into the webserver could
not easily replace the java app without trigerring a warning to the user.
pong
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
