On Wed, Nov 20, 2013 at 5:40 AM, Benjamin Smedberg <benja...@smedbergs.us> wrote: > I'm pretty sure that WebCrypto will have a way so sign a document with a > certificate. It's not clear to me whether WebCrypto as currently specced > also has a way to prompt the user to access personal certificates. > bsmith/ekr, do you know what the capabilities are?
There is no certificate functionality in the draft. IIRC, this was considered a "secondary use case" and might not be handled by the base W3C Web Crypto API spec. Also, there is some uncertainty over whether we would implement that spec in the first place. Regardless, signing with a certificate is something that there are multiple reasons for supporting. Unfortunately, the UI issues regarding it are tough. If you make it too easy, users may literally sign away all their money with no recourse, or sign a legal document that they don't intend to sign. If we make the UI too careful, it may be unusable. The actual work of writing the code to signing something with a certificate should be easy to complete, once there is an acceptable UI spec. > It seems like a clear win to me for our cryptosystem to be able to access > certificates in CAPI, whether or not we honor the system root certificates > by default or not. This could also be used with the existing system of HTTPS > client certificates, which is seldom used on the web currently primarily > because the UI sucks. Agreed. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
