chrome-token-signing icon indicating copy to clipboard operation
chrome-token-signing copied to clipboard
verified publisher icon open-eid

RFE: Add support for signing UTF-8 text

Open minfrin opened this issue 5 years ago • 6 comments

The Firefox web browser used to support a javascript function called crypto.signText() that presented some text to the end user, and invited the user to sign the text with a digital certificate.

This was removed from the Firefox project without a replacement.

I propose the same functionality be added to chrome-token-signing, so as to make it possible to sign text as was possible before.

minfrin avatar Jun 04 '20 12:06 minfrin

This is not in the scope of this project. Here the scope is mainly ETSI-defined signature formats (asic containers) and interfacing with the hardware to get such technical signatures. Implementation of UI or signature container/format generation is up to the application developers. It was removed for a reason from FF.

martinpaljak avatar Jun 04 '20 12:06 martinpaljak

The Firefox project never provided the reason for removal of crypto.signText(), and the need exists still.

Currently id.ee is the closest plugin that I have found that is able to sign documents - unfortunately the current API signs an opaque hash, and there is therefore no way to guarantee to an end user what they're signing.

signText (as in show the end user some text, ask them to sign that text and no other text) solves this problem.

minfrin avatar Jun 04 '20 12:06 minfrin

and this is a clear design decision, both good and bad. WYSIWYG is a valid concern, but not in the scope of this thing.

martinpaljak avatar Jun 04 '20 12:06 martinpaljak

signText (as in show the end user some text, ask them to sign that text and no other text) solves this problem.

It is not so simple. We need then also some sort hashing and when you validate signature you need to know the hash algo and also the message digesting procedures.

metsma avatar Sep 07 '20 05:09 metsma

It is not so simple. We need then also some sort hashing and when you validate signature you need to know the hash algo and also the message digesting procedures.

The problem is already solved - the crypto.signText() implementation is a starting point.

I want the ability to sign other things, like PDFs and DNSSEC zone files, but those are details.

minfrin avatar Sep 07 '20 09:09 minfrin

But these require some sort hashing before and you can create the hash and sign with hwcrypto

metsma avatar Apr 20 '21 10:04 metsma

Thank you for the feedback. I will close this issue since the active development and management of the Token Signing component has ended due to the transition to the new web authentication and signing solution (Web eID). We are happy to accept your proposals in the new Web eID project repository: https://github.com/web-eid.

kristelmerilain avatar Sep 01 '23 05:09 kristelmerilain