Re: [pki-guidelines] Transaction PKI -The Browser Plugin "Silver Bullet"

["Anders Rundgren" <anders.rundgren@telia.com>]

Arshad,
The browser security model does not allow a web page,
which by definition is "untrusted", to call APIs that have not
been explicitly exposed in the browser for this purpose.
Private key APIs as required for signatures are currently
not exposed in browsers[1].  If they were to be exposed,
they would also need built-in GUIs, as such APIs must not
allow "background authentications" and similar.

These considerations are not honored by general purpose XML
Security libraries from vendors like RSA, SUN, and Apache.

Plugins or downloadable extensions is the currently only
available method for exposing new client-side functionality
to web pages without requiring browser updates.  AJAX
is neither circumventing nor extending the browser security model,
it "only" adds a smarter browser-to-server communication
framework, than offered by "plain-vanilla" HTML applications.

This information is simple to verify by subscribing to a suitable
security mailing list and as a "PKI newbie" ask "You Gurus" for advices. 
I have used this method extensively, and it is both cheap and fast.
It is also interesting to watch the total mess on a list, when a
not-so-trivial question is put :-)

Regarding politics, I can only testify that standards is only to
minor extent about technology, the core is really to "sell" the
standard which in the case of PKI means politics, due to the
rather heavy government-bias towards this technology.

thanx
Anders

1) Mozilla's signText is the exception but this one does
a PKCS #7 signature only using plain-text which is not what
the market, you and I want.

----- Original Message ----- 
From: "Arshad Noor" <arshad.noor@strongauth.com>
To: "PKI Application Guidelines" <pki-guidelines@lists.oasis-open.org>
Sent: Tuesday, January 03, 2006 00:15
Subject: Re: [pki-guidelines] Transaction PKI -The Browser Plugin "Silver Bullet"


Would you care to elaborate why this does not work
technically, Anders?  I think I know where the gaps
are, but I am interested in understanding what you
perceive as being unworkable.  Please focus your
answers on the technology only without discussing
political or organizational issues.  Thanks.

Arshad Noor
StrongAuth, Inc.

Anders Rundgren wrote:

> Unfortunately it does not [technically] work as you claim.
> 

> ----- Original Message ----- 
> From: "Arshad Noor" <arshad.noor@strongauth.com>
> To: "PKI Application Guidelines" <pki-guidelines@lists.oasis-open.org>
> Sent: Monday, January 02, 2006 22:54
> Subject: Re: [pki-guidelines] Transaction PKI -The Browser Plugin "Silver Bullet"
> 
> 
> With the advent of XML, signText() is more than adequate, as
> long as form content is capable of being represented as an XML
> object, which is precisely what the IBM technology does through
> ECMAscript for XML.  So, the following is now possible:
> 
>    Form content + E4X = XML + signText() = XML Signature