Kyle,
The NDA situation is indeed very bad for
progress.
Then the question who is going to standardize such
a thing?
ITU does not really deal with browsers, this seems
to be more a W3C, OASIS or IETF type of activity.
In my opinion there are other parts of the browser
PKI support that may need an overhaul, like on-line key gen and
certification. I'm sure on-line issuance will be the norm and at least the
Xenroll stuff used in IE, is really ugly and quite impossible for an ordinary
user to understand (selecting CSP???). Many of the proprietary signature
schemes therefore also have an equally proprietary issuance
mechanism.
Anders
The previous stuff with links and
NDAs added:
Recently a number of leading pharmaceutical
companies who have formed an authentication forum (SAFE - http://www.safe-biopharma.org),
launched an internally developed standard called USSI (Universal SAFE
Signing Interface) [1,2].
However, similar WebSigning "standards" have also been launched by:
- The Swedish government [1, 2] - http://www.bankid.com
- The Austrian government - http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/
- The Norwegian government [1] - http://www.handel.no/pkiforum/seid/index.asp?id=1185
- The Danish government [1] - http://www.openoces.org
- The Estonian government [1] - http://www.openxades.org
- The Hongkong government [2] - https://e-business.hongkongpost.com/ecertdeveloper/eng/downloads.jsp
- The DoD - Not public
- Dozens of independent software vendors
- The Estonian government [1] - http://www.openxades.org
- The Hongkong government [2] - https://e-business.hongkongpost.com/ecertdeveloper/eng/downloads.jsp
- The DoD - Not public
- Dozens of independent software vendors
1] In cooperation with commercial
vendors.
2] NDA protected.
----- Original Message -----
From: "Kyle Hamilton" <[EMAIL PROTECTED]>
Sent: Tuesday, January 24, 2006 12:44
Subject: Re: The Browser Digital Signature
Riddle
> AFAIK, *NONE* of the groups named above has *EVER* contacted the
> developers of mozilla's crypto code (NSS and PSM) about this.
> Just last month, we learned about the South Korean government's efforts,
> not from that government, but from some South Korean users (IINM).
>
> I strongly suspect that these groups have never approached ANY browser
> vendor. I doubt they approached Microsoft either. Many of these groups
> have written their own ActiveX controls for MSIE, but have stopped short
> of writing plugins/extensions for mozilla browsers.
>
> If the browser vendors are unaware of those efforts, it is because those
> groups did not inform the vendors. IMO, it's not very bright for those
> groups to design a plan that depends on integration with certain browser
> products, and then never initiate the integration with those products.
>
> I think many of those governments are accustomed to their citizens
> following every move they make, and they forget that browser vendors
> in other countries aren't subject to them and don't monitor them.
>
> AFAIK, today, each of those groups named above have designed their own
> solution that is not interoperable with any of the others. IMO, there's
> no way that mozilla is going to implement 15 different countries' ideas
> of how to do "web signing". Perhaps they should get together and start
> to form a true standard regarding this. But they shouldn't expect that
> browser vendors (whom they've never contacted) will do that for them, IMO.
>
> If one of them wants to *contribute* open source to mozilla, such a
> contribution would be seriously considered, I think.
The problem is that international standards are formalized by the ITU,
and this would be in the X.500 or X.600 series of documents. As far
as I can tell, no such standard exists. I'm very leery of
implementing any web-signing system until such a standard exists.
Incidentally, I'm told that USSI requires a non-disclosure agreement
to get a look at the specifications -- which makes it completely
unsuitable as a strong-authentication protocol that can be implemented
by the layman and forged by the open-source model.
-Kyle H
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
