Re: On-line signature standards

"Martin Buechler" <martin.buechler@xxxxxxx> wrote:
>Just for clarification: What do you define as 'signing on-line data on 
>the web using Internet browsers' and where could one find an example?

The scenario is that you are connected to an on-line service like a bank
and at a certain phase have to aknowledge a transaction you have created
in an interactive process.  Then the provider asks you to sign which using
PKI is supposed to trigger a web-siging plugin/tool.  There are many such
on the market, all different and all covered by NDAs.  SmartTrust's
"Personal"  is one such fairly well spread product.

>Personally, I use S/MIME email quite a lot; this is signed on-line data 
>too, isn't it?

I would not categorize mail as on-line as you create the data to be
sent in an off-line process.  In the on-line scenario it is usually the
provider (server) that sends something down to you (through the
browser) to take action on.  I refer to this as siging "wet" and "dry"
documents rescpectively.

>There are technical standards, that are adopted like PKCS#11 and #7 in 
>ISIS-MTT in Germany and PKCS#15, i.e.the finnish FINEID card. Still you 
>are right, because although we would have enough de-facto open 
>international standards concerning smartcards and security, the german 
>DIN institute invents/changes new mandatory card layouts every other 
>day, and even an accredited card like the NetCard by Telesec contains 
>non-X509 certificates and offers absolutely no documentation for their 
>TCOS card OS. Cards without ISO file system, like JavaCards, are 
>completely ignored or dismissed. That way, the authorities accommodate 
>the needs of the same big old players, who are the only ones, who own 
>the production line from the silicon wavers, card OS development up to 
>the rollout infrastructure and keep all other competitors out of the 
>game. In Germany you'll never see other companies than Telekom, Siemens, 
>KPMG and Daimler-Chrysler win any hi-tec bid.

The thing I refer to is really more of an application that calls lower lever
crypto support like smart cards.  In Windows that would be CryptoAPI.

rgds
Anders