Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

crypto.signText does not attach document contents to the signed message

28 views
Skip to first unread message

plig

unread,
Feb 11, 2005, 7:00:16 AM2/11/05
to
Hello,
I want to sign a form field text with Mozilla browser using the
installed certificates in the browser itself. Well, I need a Javascript
solution and I found that crypto.signText does exactly what I want -
calculates the signature of the message, uses the certificates
installed in browser, even works with smart cards. However it has some
limitations which I'm still not able to overcome.
It seems that crypto.signText signs the message and provides only the
signature, so the content of the message itself is not included.

I use something like that:
window.crypto.signText('Sign this message', 'ask');

Is there some kind of parameter or something else which I can use and
include the content of the message in the final signed document?
Thanks in advance.

Ian G

unread,
Feb 11, 2005, 11:20:31 AM2/11/05
to
plig wrote:

If you are thinking of OpenPGP cleartext signing,
there is no such analogue in the x.509 world as
far as standards go, AFAIK.

My company added cleartext x.509 signing to our
own code base (in Java for Ricardian Contracts)
back in 1999 or so, it's not hard to do this work.
But as this was a non-standard approach, I don't
know that anyone would be interested in adding
it to Mozilla.

Bear in mind that as well as signing
tools, you would also need to create verification
tools that understand the cleartext signing format,
so you would always be limited to using the one
browser/place that it was implemented in.

If you are not talking about cleartext signing, then
ignore all the above.

iang
--

News and views on what matters in finance+crypto:
http://financialcryptography.com/

Nelson B Bolyard

unread,
Feb 11, 2005, 1:01:36 PM2/11/05
to
Ian G wrote:
> plig wrote:
>
>> Hello,
>> I want to sign a form field text with Mozilla browser using the
>> installed certificates in the browser itself. Well, I need a Javascript
>> solution and I found that crypto.signText does exactly what I want -
>> calculates the signature of the message, uses the certificates
>> installed in browser, even works with smart cards. However it has some
>> limitations which I'm still not able to overcome.
>> It seems that crypto.signText signs the message and provides only the
>> signature, so the content of the message itself is not included.
>>
>> I use something like that:
>> window.crypto.signText('Sign this message', 'ask');
>>
>> Is there some kind of parameter or something else which I can use and
>> include the content of the message in the final signed document?

> If you are thinking of OpenPGP cleartext signing,
> there is no such analogue in the x.509 world as
> far as standards go, AFAIK.

Ian and plig,

In the world of PKCS7 (a.k.a. "CMS") there are two kinds of signatures,
commonly called "detached" and "opaque". plig is asking for opaque;
that is, a signature "blob" that contains the signed data as well as the
signature itself and the certs. IINM, today mozilla's signtext extension
is producing "detached" signatures. I don't know if there is any way
to get opaque.

0 new messages