[Security-devroom] Talk submission : Fribid and browser security
martin at martinpaljak.net
Fri Dec 17 21:58:23 CET 2010
On Dec 17, 2010, at 8:16 PM, Tomas Gustavsson wrote:
> Here is another submission that I though might be interesting.
> If accepted I hope to get the creator, Samuel, of this interesting tool
> to come, instead of me.
> Fribid.se 
> I am a PKI nerd since middle of the 90's. Samuel is a Computer Science
> student at KTH, Stockholm.
> Talk duration: 30 minutes max
> Talk: The development of Fribid, what can be do for browser clients?
> Since many years ago Swedish digital id's issued by the banks
> (equivalent to other countries digital national id's) are using
> proprietary client software in order to log in, sign transactions and
> enroll for id's. The software works as browser plug-ins since on-line
> services are always web based.
> Prorietary software rarely works well with Linux, although there are now
> have a 32 bit version out. Samuel created an open source version of the
> browser plug-in, Fribid  to get something that works better. By
> investigating communication he soon had a linux client that worked well.
> It even works with smart cards using OpenSC .
> This talk will describe a bit of the development behind fribid, and
> extend to some questions that are much broader in scope than the swedish
> digital id's, that fribid was created for.
> Some of the natural questions to ask are:
> - Why are there no open standards for the authentication and digital
> signature operations needed for web based applications?
> - What can the open source world to to make this important technology
> (in a much wider concept than swedish digital id's) open and user friendly?
Indeed, very interesting. Online signature schemes and mechanics have IMHO been a moving target for a while and re-developed over and over again (applets, plugin, helpers, etc-etc) that it surely is an interesting, as well as parctical topic.
For example, I don't know anyone who would know anyone who would use the .sign() function in firefox, but I've created or help to create ~3 different plugins or applets for the same purpose...
While TLS/SSL and related PKI is natural in the "web 2.5" world, anything that's not connection oriented (and is not S/MIME) is somewhat left aside. Even OAuth 2.0 decided that "signatures are difficult, lets just do SSL which everyone knows how to do"
+1 from me.
More information about the Security-devroom