[xmlsec] Web form signing

Aleksey Sanin aleksey@aleksey.com
Thu, 09 Jan 2003 01:45:22 -0800


Not sure what you mean by "your own pki":
    - Invent a new PKI infrastructure??? We already have plenty of them 
including
    popular x509 and PGP.
    - Writing your own code to do rsa signatures??? There are a lot of 
crypto libraries
    available already.
    - Create your own "circle of trust"??? You need to do it in all cases.

As I wrote you before, the only "good" solution is hardware based. The 
software is easily
breakable and might have "evil" code. If you want to have really good 
security you need to tell
user to download your software, connect his/her smart card reader and 
insert smart card.
IMHO, there are two types of users:
     - people who don't care about security and actually don't know what 
is it --- tell them to
        simply install software and they'll do it;
     - people who think they know about security and ready to pay money 
for it (usually
       you can find them in financial and goverment organizations) --- 
they can afford smart cards
       and almost any other hardware you'll ask for.
Choose you target audience. It'll reduce the number of possible cases.

Aleksey