Anders Rundgren wrote:
A problem with this approach is that signText generates PKCS #7
signatures which are different (=incompatible) to XML Signatures.
signText only offers signing of plain-text. There are many real-world
(= implemented) e-gov applications that require more than that,
not to mention uploaded attachments.
Good point, Anders. I had forgotten about that. While XML
is plain-text and can, therefore, be signed by signText, I
agree that even a simple document can present formidable
XML; but until the plumbing is actually available, we may
be getting ahead of ourselves in discussing the "look and
feel" of the kitchen/bathroom.
Due to the availability of several Java applet-based Open Source
signature solutions that do not limit you to Firefox, plain-text,
and PKCS #7, I would personally not bother with signText.
The real-world problem with the use of applets and plug-ins
that must be deployed on the desktop, is that many large
enterprises are reluctant to do this. It represents one
more item on the software stack they need to integrate,
test, support and secure. Given the cost and scope of
supporting one more un-integrated item on the desktop,
many companies are eschewing this capability.
So, let me throw out a suggestion to the committers of Mozilla/Firefox:
given that Apache has a C++ library that supports the W3C XMLSignature/
XMLEncryption standard (http://xml.apache.org/security/), what are the
chances of having this library integrated into Mozilla/Firefox with
some new JavaScript functions expose this API to developers? This will
solve many problems for enterprise applications:
- message level security, rather than transport-level;
- integrated signing/encryption functionality in the browser (and
perhaps the Apache HTTP server?);
- eliminating a major barrier for corporate desktop support groups
to support this functionality;
While I know that many PKCS7 afficionados will not see much benefit to
"duplicating" capabilities inherent in PKCS7, given the way corporate
applications are being developed today (they rely on XML very heavily)
and trends in future application development (BPEL, XML databases)
there is a natural predilection for developers to use tools that
support XML natively.
I think Mozilla/Firefox will set new standards in applications and
security by supporting such a capability natively. Comments?
Arshad Noor
StrongAuth, Inc.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
