- From: Ángel González <angel@16bits.net>
- Date: Mon, 29 Feb 2016 23:44:52 +0100
- To: public-webappsec@w3.org
Mitar wrote: > Hi! > > On Thu, Feb 25, 2016 at 3:20 PM, Ángel González <angel@16bits.net> > wrote: > > > > I was thinking in a list in your certificate window, where you > > could > > input either exact domains or wildcards (eg. *.gov.$CC) > But this has a similar problem to current solutions: you cannot build > an ecosystem around those certificates. My running example is me > wanting to create a petition where I would like people to sign it > with their certificates. I would not be able to do that because it > would not be running under the .gov website. The user would need to add your domain to the list of websites allowed to use that certificate. The *.gov.$CC was an example for wildcard support. > But maybe an interesting thing would be that sites could request once > a permission to access this API and user would be prompted. So > something like installing the plugin for Google Hangouts. If user > says no, then the site does not have access to the API. So instead of > prompting for signing itself, you prompt for accessing the signing > API in general. No. There may be several certificates, each with its own set of permissions. I may only wish to enable a certificate issued by my employer to be accessed by their webpage, but support a government ID certificate to be used by several official websites. Or in a shared computer (and user account), one family member allowing signing doesn't mean allowing signing for everyone.
Received on Monday, 29 February 2016 22:45:26 UTC