Anders Rundgren wrote:
An inherent problem with this suggestion is that it is not
backed by a specification that can be translated into code.
The point is that the XMLSEC code already exists and
conforms to W3C standards (the Java version conforms
to two different JSRs). Whats missing is the
integration of such a library into Mozilla/Firefox,
and the JavaScript functions to expose the API.
Once defined and shaken out, the JS functions can be
proposed to ECMA for inclusion into the standard.
I also believe that the market-perception is questionable. If
there actually is a strong demand for this functionality within the
enterprise, how come that none of the standards bodies have
something along those lines on their menu?
I don't believe that an advancement in technical
capability has to be preceded by a standard from a
standards body. (If memory serves me right, ironically,
we are discussing this issue in a forum whose core
technology - SSL - established a new bar for web
security before the standard was created - TLS).
Standards bodies are useful for creating structure
in established markets; they don't necessarily lead
markets.
Any thoughts from the people at Mozilla/Firefox?
Arshad Noor
StrongAuth, Inc.
<snip>
So, let me throw out a suggestion to the committers of Mozilla/Firefox:
given that Apache has a C++ library that supports the W3C XMLSignature/
XMLEncryption standard (http://xml.apache.org/security/), what are the
chances of having this library integrated into Mozilla/Firefox with
some new JavaScript functions expose this API to developers? This will
solve many problems for enterprise applications:
- message level security, rather than transport-level;
- integrated signing/encryption functionality in the browser (and
perhaps the Apache HTTP server?);
- eliminating a major barrier for corporate desktop support groups
to support this functionality;
While I know that many PKCS7 afficionados will not see much benefit to
"duplicating" capabilities inherent in PKCS7, given the way corporate
applications are being developed today (they rely on XML very heavily)
and trends in future application development (BPEL, XML databases)
there is a natural predilection for developers to use tools that
support XML natively.
I think Mozilla/Firefox will set new standards in applications and
security by supporting such a capability natively. Comments?
Arshad Noor
StrongAuth, Inc.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
