[xmlsec] Web form signing
Aleksey Sanin
aleksey@aleksey.com
Thu, 09 Jan 2003 01:45:22 -0800
Not sure what you mean by "your own pki":
- Invent a new PKI infrastructure??? We already have plenty of them
including
popular x509 and PGP.
- Writing your own code to do rsa signatures??? There are a lot of
crypto libraries
available already.
- Create your own "circle of trust"??? You need to do it in all cases.
As I wrote you before, the only "good" solution is hardware based. The
software is easily
breakable and might have "evil" code. If you want to have really good
security you need to tell
user to download your software, connect his/her smart card reader and
insert smart card.
IMHO, there are two types of users:
- people who don't care about security and actually don't know what
is it --- tell them to
simply install software and they'll do it;
- people who think they know about security and ready to pay money
for it (usually
you can find them in financial and goverment organizations) ---
they can afford smart cards
and almost any other hardware you'll ask for.
Choose you target audience. It'll reduce the number of possible cases.
Aleksey