[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pki-guidelines] Transaction PKI -The Browser Plugin "Silver Bullet"
Arshad, The browser security model does not allow a web page, which by definition is "untrusted", to call APIs that have not been explicitly exposed in the browser for this purpose. Private key APIs as required for signatures are currently not exposed in browsers[1]. If they were to be exposed, they would also need built-in GUIs, as such APIs must not allow "background authentications" and similar. These considerations are not honored by general purpose XML Security libraries from vendors like RSA, SUN, and Apache. Plugins or downloadable extensions is the currently only available method for exposing new client-side functionality to web pages without requiring browser updates. AJAX is neither circumventing nor extending the browser security model, it "only" adds a smarter browser-to-server communication framework, than offered by "plain-vanilla" HTML applications. This information is simple to verify by subscribing to a suitable security mailing list and as a "PKI newbie" ask "You Gurus" for advices. I have used this method extensively, and it is both cheap and fast. It is also interesting to watch the total mess on a list, when a not-so-trivial question is put :-) Regarding politics, I can only testify that standards is only to minor extent about technology, the core is really to "sell" the standard which in the case of PKI means politics, due to the rather heavy government-bias towards this technology. thanx Anders 1) Mozilla's signText is the exception but this one does a PKCS #7 signature only using plain-text which is not what the market, you and I want. ----- Original Message ----- From: "Arshad Noor" <arshad.noor@strongauth.com> To: "PKI Application Guidelines" <pki-guidelines@lists.oasis-open.org> Sent: Tuesday, January 03, 2006 00:15 Subject: Re: [pki-guidelines] Transaction PKI -The Browser Plugin "Silver Bullet" Would you care to elaborate why this does not work technically, Anders? I think I know where the gaps are, but I am interested in understanding what you perceive as being unworkable. Please focus your answers on the technology only without discussing political or organizational issues. Thanks. Arshad Noor StrongAuth, Inc. Anders Rundgren wrote: > Unfortunately it does not [technically] work as you claim. > > ----- Original Message ----- > From: "Arshad Noor" <arshad.noor@strongauth.com> > To: "PKI Application Guidelines" <pki-guidelines@lists.oasis-open.org> > Sent: Monday, January 02, 2006 22:54 > Subject: Re: [pki-guidelines] Transaction PKI -The Browser Plugin "Silver Bullet" > > > With the advent of XML, signText() is more than adequate, as > long as form content is capable of being represented as an XML > object, which is precisely what the IBM technology does through > ECMAscript for XML. So, the following is now possible: > > Form content + E4X = XML + signText() = XML Signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]