[whatwg] Browser Signature Standards Proposal

Alexey Feldgendler alexey at feldgendler.ru
Thu Nov 2 21:33:38 PST 2006

On Thu, 02 Nov 2006 15:55:54 +0600, Michael(tm) Smith <mikes at opera.com> wrote:

>> This is a problem of browser UI design, not of web standards.

> What do you expect might happen when N different browser vendors
> each go off on their own and, working in isolation from one
> another, independently design and implement their own interfaces
> for handling what we've been discussing?

Not in isolation. They should cooperate, of course, and come up with a common solution. But WHAT is not about browser UI, so it's out of scope here. WHAT should not try to compensate the lack of proper browser UI with features in HTML that duplicate features in HTTP/SSL.

>> As I say above, this should be solved at browser UI level. The
>> browsers should make it clear to the user that presenting a
>> client-side certificate to a website is effectively an act of
>> disclosing and proving the user's identity, and that every piece
>> of information he sends to the server (every user action) is
>> non-repudiable.

> I'd love to hear some concrete suggestions on how you'd propose
> going about making that all clear to users through the browser UI.
> I just hope it's not a dialog box with text saying "Presenting a
> client-side certificate to a website is effectively an act of
> disclosing and proving your identity, and every piece of
> information you send to the server (every action) is
> non-repudiable", with a checkbox that says "Don't show me this
> warning next time."

Presentation of a client-side certificate should be an explicit action, like entering a password (and, in fact, presentation of some certificates actually requires entering a passphrase). There should be an UI widget, like a button or such, to "present your identity to the website", with a choice of "identities" (certificates) to present. There should be an indicator which shows that you that a client-side certificate is in use. The client-side certificate chosen for one domain should not affect other domains. There should be a way to stop presenting the certificate. By default, this should automatically happen when closing the browser.

Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com

More information about the whatwg mailing list