OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-guidelines message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pki-guidelines] Transaction PKI -The Browser Plugin"Silver Bullet"

Anders Rundgren wrote:
> Anders R wrote:
>  > http://www.arcot.com/docs/SAFE_TPOC_FS.pdf shows a carbon copy of what I
>  > have suggested as a suitable scheme for Transaction PKI.
>  > 
> /Arshad responded:/
> /This architecture uses a plug-in.  Our goal is to avoid the use of a 
> plug-in. /
> // 
> /Stephen wrote (in an earlier message):/
> /B.  For client side PKI ... I got the impression from your thread 
> gentlemen that Anders' proposed method has an extension where client 
> side private keys are also accommodated.  But Arshad wishes to avoid 
> extra plug-ins etc.  I would agree./
> // 
> But Arcot, the maybe 50 other vendors of web signature SW, and myself 
> for some reason have concluded (based on the actual offerings), that the 
> only way you can do web signing using existing browsers[1], is by adding 
> some kind of browser extension usually in the form of an ActiveX control 
> or Java applet plugin.
	The reason the 50 vendors developed plug-ins is because browser
	never provided a mechanism for signing form content through an
	API, other than the primitive signText(), as you acknowledged.

	With the advent of XML, signText() is more than adequate, as
	long as form content is capable of being represented as an XML
	object, which is precisely what the IBM technology does through
	ECMAscript for XML.  So, the following is now possible:

	   Form content + E4X = XML + signText() = XML Signature

	which is exactly what we're trying to achieve without the use
	of plug-ins.

	This is the type of architecture I hope for this SC to discuss
	and investigate through the OASIS-funded resource.

> Apparently the Application Guidelines SC have found a "silver bullet" 
> which the rest of the industry in spite of years of hard work have not 
> managed to do.  Could you guys please enlighten us less gifted souls a bit?
	We haven't found a silver bullet, Anders; just that technology
	has evolved to a point where existing and some new capabilities
	are able to deliver what we want.  All that remains now is to
	determine how well it works, and what are the barriers to
	standardization and industry-wide implementation.

Arshad Noor
StrongAuth, Inc.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]