>The point is that the XMLSEC code already exists and
>conforms to W3C standards (the Java version conforms
>to two different JSRs). Whats missing is the
>integration of such a library into Mozilla/Firefox,
>and the JavaScript functions to expose the API.
I think this description of the problem is overly simplistic
to say the least.
A browser can be regarded as a Virtual Machine (VM), typically
running *untrusted* application code (e.g. downloaded HTML pages),
in a sandbox mode.
The libraries and JSRs you refer to are programmatic interfaces
supposed to be called by *trusted* applications. AFAIK, neither
the concept of an interactive user or a display is a part of this.
That is, the thing that you call "integration", is really something much
more complex than exposing a few existing security APIs in JavaScript.
As you are very well aware of, there are other ways to achieve the
sought functionality than by using JavaScript. I don't see why you
dismiss these schemes, particularly since nobody have to date come
up with any kind of "competing" specification based on JavaScript.
>Any thoughts from the people at Mozilla/Firefox?
Believe me, since the interest in this topic has not been particularly
well manifested among those who actually *invest* in Open Source
developments, you cannot expect much support at this humble stage.
Anders Rundgren
Working with an XML-only web-signature standards proposal.
----- Original Message -----
From: "Arshad Noor" <[EMAIL PROTECTED]>
To: <dev-tech-crypto@lists.mozilla.org>
Sent: Wednesday, June 21, 2006 04:40
Subject: Re: Sign/Verify text in FireFox
Anders Rundgren wrote:
> An inherent problem with this suggestion is that it is not
> backed by a specification that can be translated into code.
>
The point is that the XMLSEC code already exists and
conforms to W3C standards (the Java version conforms
to two different JSRs). Whats missing is the
integration of such a library into Mozilla/Firefox,
and the JavaScript functions to expose the API.
Once defined and shaken out, the JS functions can be
proposed to ECMA for inclusion into the standard.
> I also believe that the market-perception is questionable. If
> there actually is a strong demand for this functionality within the
> enterprise, how come that none of the standards bodies have
> something along those lines on their menu?
>
I don't believe that an advancement in technical
capability has to be preceded by a standard from a
standards body. (If memory serves me right, ironically,
we are discussing this issue in a forum whose core
technology - SSL - established a new bar for web
security before the standard was created - TLS).
Standards bodies are useful for creating structure
in established markets; they don't necessarily lead
markets.
Any thoughts from the people at Mozilla/Firefox?
Arshad Noor
StrongAuth, Inc.
<snip>
> So, let me throw out a suggestion to the committers of Mozilla/Firefox:
> given that Apache has a C++ library that supports the W3C XMLSignature/
> XMLEncryption standard (http://xml.apache.org/security/), what are the
> chances of having this library integrated into Mozilla/Firefox with
> some new JavaScript functions expose this API to developers? This will
> solve many problems for enterprise applications:
>
> - message level security, rather than transport-level;
> - integrated signing/encryption functionality in the browser (and
> perhaps the Apache HTTP server?);
> - eliminating a major barrier for corporate desktop support groups
> to support this functionality;
>
> While I know that many PKCS7 afficionados will not see much benefit to
> "duplicating" capabilities inherent in PKCS7, given the way corporate
> applications are being developed today (they rely on XML very heavily)
> and trends in future application development (BPEL, XML databases)
> there is a natural predilection for developers to use tools that
> support XML natively.
>
> I think Mozilla/Firefox will set new standards in applications and
> security by supporting such a capability natively. Comments?
>
> Arshad Noor
> StrongAuth, Inc.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
