OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-guidelines message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Transaction PKI -The Browser Plugin "Silver Bullet"

Anders R wrote:
> http://www.arcot.com/docs/SAFE_TPOC_FS.pdf shows a carbon copy of what I
> have suggested as a suitable scheme for Transaction PKI.

Arshad responded:
This architecture uses a plug-in.  Our goal is to avoid the use of a plug-in. 
Stephen wrote (in an earlier message):
B.  For client side PKI ... I got the impression from your thread gentlemen that Anders' proposed method has an extension where client side private keys are also accommodated.  But Arshad wishes to avoid extra plug-ins etc.  I would agree.
But Arcot, the maybe 50 other vendors of web signature SW, and myself for some reason have concluded (based on the actual offerings), that the only way you can do web signing using existing browsers[1], is by adding some kind of browser extension usually in the form of an ActiveX control or Java applet plugin.
Apparently the Application Guidelines SC have found a "silver bullet" which the rest of the industry in spite of years of hard work have not managed to do.  Could you guys please enlighten us less gifted souls a bit?
Note that XML Signature code has been available for at least three years, and is thus not related to the fundamental problem (the deliberately restrictive browser security model), referred to in this posting.
Anders Rundgren
Principal Engineer
RSA Security
1] To be fully correct: Mozilla FireFox indeed supports a native, non-standard, and rather primtive JavaScript signature function known as "signText()"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]