1

Topic: Re: to Transfer the certificate for the signature on the server

Hello, , you wrote: > And whether somehow the client/user here can select the certificate and send it on the server that the server itself this certificate signed all that to it it is necessary? Whether it is implemented without plug-ins? Clearly put that a file of the certificate with private key it is possible to send stupidly as a file in POST-inquiry, but it absolutely foolish decision. Certainly it is possible. Only sense after all in to giving private key to anybody, that is, not to transfer it to the server. Otherwise the server can without your involvement your signature everything sign at any moment

2

Re: Re: to Transfer the certificate for the signature on the server

Hello, , you wrote: > I in cryptography to tell the truth on tops, therefore at me here such such foolish question about  and . > we Admit, there is a server which prepares certain XML, which user should sign. > as far as I understand, the standard decision consists that the data prepared by the server at first is transferred in the client application which causes dialogue of a choice of the certificate, then somehow there signs the data, and the data is returned reversely on the server already signed. > in a web as far as I understand for these purposes of the transferable decision there is no also all it it is made by means of various plug-ins. > and whether somehow the client/user here can select the certificate and send it on the server that the server itself this certificate signed all that to it it is necessary? Whether it is implemented without plug-ins? Clearly put that a file of the certificate with private key it is possible to send stupidly as a file in POST-inquiry, but it absolutely foolish decision. And the purpose what to correspond to standards or the bicycle descends?

3

Re: Re: to Transfer the certificate for the signature on the server

Hello, , you wrote: > Hello, bnk, you wrote: bnk>> Differently the server can without your involvement your signature everything sign at any moment > Here I and I am interested, whether invented any magic that also a private key not to transfer, and the data subscribed on the server? That the server could not sign without the permission of the client, the client should give to the server something without what the server cannot make it. Well returned to that from what began - if the client that that gives that to it and it will be not difficult easier most to sign. What for superfluous steps here? I think that in the presence of the arbitrator - the agent to which trust both the client and the server it is possible.

4

Re: Re: to Transfer the certificate for the signature on the server

Hello, , you wrote: > Hello, Qulac, you wrote: Q>> That the server could not sign without the permission of the client, the client should give to the server something without what the server cannot make it. Well returned to that from what began - if the client that that gives that to it and it will be not difficult easier most to sign. > yes here that's just the point that is is specific here these here signatures pull down all the harmonous concept of "thin clients") In a sense yes but if it is very necessary I think that is possible. Q>> I think that in the presence of the arbitrator - the agent to which trust both the client and the server it is possible. > , and in an infrastructure of domain Windows something similar to such agent is? The certificate is stored either in the register or on the device, and in an any way the domain administrator or service with appropriate privileges can get to them access. > Is Kerberos as an example of the agent providing authentification and authorization to which both sides Here I trust that I can not advise.

5

Re: Re: to Transfer the certificate for the signature on the server

Hello, , you wrote: > , and in an infrastructure of domain Windows something similar to such agent is? The certificate is stored either in the register or on the device, and in an any way the domain administrator or service with appropriate privileges can get to them access. As far as I know, the answer negative. Do bicycles (native messaging, the server on localhost), or use bicycles from the vendor of tokens. If that you will dig out, it would be interesting to hear.

6

Re: Re: to Transfer the certificate for the signature on the server

Private key transmission to any type compromises idea of dissymetric cryptography. Therefore so do not do. But there are variants. It is possible to generate steams of keys (well and the certificate if it is necessary) on the server and to anchor them to the user. When the user needs to sign something, it identifies itself(himself) (for example, through ), further the server takes the private key anchored to the user, and signs/ciphers from his name. In this circuit it is meant that the user trusts the server as to itself. So it is implemented, for example, in a private office of the tax bearer on https://lkfl.nalog.ru There keys  somewhere on the server and to the client are not given. But documents them can be signed, become authorized in a private office. It is similarly made in service of electronic registration of Rosreestra. There too keys  on the server, and to the user comes  with the code  for the signature.

7

Re: Re: to Transfer the certificate for the signature on the server

Hello, bnk, you wrote: bnk> Hello, , you wrote: >> , and in an infrastructure of domain Windows something similar to such agent is? The certificate is stored either in the register or on the device, and in an any way the domain administrator or service with appropriate privileges can get to them access. bnk> as far as I know, the answer negative. Do bicycles (native messaging, the server on localhost), or use bicycles from the vendor of tokens. bnk> if that you will dig out, it would be interesting to hear. Here did not understand as they it do. But anything it is not necessary to put, simply you sign documents in chrome or other explorer: https://ols.imsa.ua/

8

Re: Re: to Transfer the certificate for the signature on the server

Hello, Danchik, you wrote: D> Here did not understand as they it do. But anything it is not necessary to put, simply you sign documents in chrome or other explorer: https://ols.imsa.ua/What to make to try (where there to click)? It is a question of the signature which is stored at me on USB a token. They not so the Author: RushDevion Date: 24.06 23:44 do?

9

Re: Re: to Transfer the certificate for the signature on the server

Hello, bnk, you wrote: bnk> Hello, Danchik, you wrote: D>> Here did not understand as they it do. But anything it is not necessary to put, simply you sign documents in chrome or other explorer: https://ols.imsa.ua/bnk> What to make to try (where there to click)? bnk> It is a question of the signature which is stored at me on USB a token. They not so the Author: RushDevion Date: 24.06 23:44 casually do? Looked that to what . Load crypto  in a type mem a file. I in it the layman, can web assembly, or what there still can be (dump?). And sign on the client.

10

Re: Re: to Transfer the certificate for the signature on the server

Hello, Danchik, you wrote: D> Looked that to what . Load crypto  in a type mem a file. I in it the layman, can web assembly, or what there still can be (dump?). And sign on the client. That is, the certificate which to sign, it is possible to select? I and did not find on what there it is possible to click to try their system.

11

Re: Re: to Transfer the certificate for the signature on the server

Hello, bnk, you wrote: bnk> Hello, Danchik, you wrote: D>> Looked that to what . Load crypto  in a type mem a file. I in it the layman, can web assembly, or what there still can be (dump?). And sign on the client. bnk> that is, the certificate which to sign, it is possible to select? I and did not find on what there it is possible to click to try their system. Yes here it is necessary to be . It from the tax works, and reports through the same system leave. Yes  you select from a disk, enter the password on a key. They load the  and sign on the client.

12

Re: Re: to Transfer the certificate for the signature on the server

Hello, bnk, you wrote: bnk> Hello, Danchik, you wrote: D>> Looked that to what . Load crypto  in a type mem a file. I in it the layman, can web assembly, or what there still can be (dump?). And sign on the client. bnk> that is, the certificate which to sign, it is possible to select? I and did not find on what there it is possible to click to try their system. Web Assembly here a variant.  to itself crypto the unit any and work. Beautifully sounds, yes not simply becomes)) Or Blazor to set on.NET  if it successfully is launched.

13

Re: Re: to Transfer the certificate for the signature on the server

Hello, Danchik, you wrote: D>>> Looked that to what . Load crypto  in a type mem a file. I in it the layman, can web assembly, or what there still can be (dump?). And sign on the client. bnk>> that is, the certificate which to sign, it is possible to select? I and did not find on what there it is possible to click to try their system. D> Web Assembly here a variant.  to itself crypto the unit any and work. Beautifully sounds, yes not simply becomes)) D> Or Blazor to set on.NET  if it successfully is launched. And unless a problem not in access to  certificates? I thought that the browser simply allows to do to nobody it (including a web ), therefore the certificate with usb a token to use for the signature from the browser directly it is impossible. It would be desirable to understand as they it bypassed.

14

Re: Re: to Transfer the certificate for the signature on the server

Hello, bnk, you wrote: D>> Web Assembly here a variant.  to itself crypto the unit any and work. Beautifully sounds, yes not simply becomes)) D>> Or Blazor to set on.NET  if it successfully is launched. bnk> and unless a problem not in access to  certificates? I thought that the browser simply allows to do to nobody it (including a web ), therefore the certificate with usb a token to use for the signature from the browser directly it is impossible. It would be desirable to understand as they it bypassed. Here another. To USB for certain not , and here to a private key in a file it is possible for a token. As it is necessary for this system. For USB a token, it is possible to make Windows Service/Linux Daemon which starts local API the server to which the page can .