Hi Andres, On Tuesday 10 May 2005 14:13, Anders Rundgren wrote:
> >I'm not sure if it's a suitable alternative, but one of the > >authentication schemes built into browsers etc, allows you to > >authenticate to websites via x509 client certificates, and you don't > >need to have any modifications made to browser or server software to > >achieve it. > > Unfortunately not all service providers put an equal-sign between > authentication and digital signatures. Digital signatures in the sense you mean are a cryptographic operation. Authentication is a higher layer process which is part of a wider application; there is no way that the two could or should be equated in any sustainable or general sense. > Although a digital signatures is > in this context essentially "a better OK button", the process is in fact > somewhat stronger as: > 1. There is (should IMHO be at least) a standardized user experience IMHO this is irrelevant. The essence of a signature is to show that the user was in agreement. How this is done is up to the application, and arguably, a standardised user experience will probably mask the process rather than surface the agreement. (I suspect what you are thinking here is that you will not see widespread adoption unless there is a std user interface. That's a separate issue, and it assumes that there is a large capital cost to the process, something I'd suggest wasn't the case.) > 2. There is a cryptographic binding between the user's key/cert and the > shown & signed document (as well as some other properties) Whatever list you come up with, can I sugges a very simple test: Can you convince a court of this? It's unlikely that you could convince a court of a "cryptographic binding" ... whatever that is. On the other hand, it is possible to design a simple digital signature that doesn't use crypto at all, and can convince a court. > Such SW (including consulting), yearly sells for hundreds of millions of > dollars so there are some who wants this badly. A question: does the software work? Can you show examples of contract formation that rely on it? Or do they just suffer it? iang -- http://iang.org/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
