Accessing Firefox key store for signing

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Accessing Firefox key store for signing

Nisar Hassan
Dear Team,

 

Is there any way we can digitally sign the transaction in a web app by using
the certificate stored at Firefox's key store.

Best Regards,

Nisar Hassan

Professional Service Engineer (PKI Department)

National Institutional Facilitation Technologies (Pvt.) Ltd.

5th Floor, AWT Plaza, I.I. Chundrigar Road, Karachi-74200.

' UAN: (92-21) 111-112-222 Ext 243.

* [hidden email]

 

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Accessing Firefox key store for signing

Ryan Sleevi-5
On Sat, May 25, 2019 at 2:03 AM Nisar Hassan <[hidden email]> wrote:

> Dear Team,
>
>
>
> Is there any way we can digitally sign the transaction in a web app by
> using
> the certificate stored at Firefox's key store.
>
> Best Regards,
>
> Nisar Hassan
>
> Professional Service Engineer (PKI Department)
>
> National Institutional Facilitation Technologies (Pvt.) Ltd.
>
> 5th Floor, AWT Plaza, I.I. Chundrigar Road, Karachi-74200.
>
> ' UAN: (92-21) 111-112-222 Ext 243.
>
> * [hidden email]


No APIs for interacting with users’ smartcards or certificates are provided
by the Web Platform. You can use TLS mutual authentication to identify the
user, if the user chooses to use such a certificate, but there is no access
provided to potentially hostile web pages to use users’ certificates or
private keys.

You can, however, use extensions that the user explicitly installs.

> <[hidden email]>
>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Accessing Firefox key store for signing

JC Jones
In reply to this post by Nisar Hassan
As Ryan said, there's no mechanism to use a certificate or smart card for this purpose at the web application layer, but it's feasible to use W3C Web Authentication and a security key device to do this. Explicit confirmation of a transaction is provided in that via an extension not yet implemented by browsers, but it's a proof-of-possession much in the same way as a smart card.

https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
https://www.w3.org/TR/2019/REC-webauthn-1-20190304/
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto