Musings about Coding, Business and other Geek Stuff Live and Direct from somewhere on the planet
April 28, 2004
Digital Signatures in HTML

Digital signatures are mostly invisible to the users. Users of SSL and SMIME may know that there is a digital signature involved with their web browser or email application by seeing a little extra icon on their screen.

PGP has always thrown the signature right into your face, which I like. Obviously a user cant verify that the signature is there and not a fake, however he knows that he now has to do something with it.

With the new release 0.13 of NeuClear XMLSig we have introduced HTML signing. To help bring some of that same effect to HTML. These signed html pages will be used as official human readable Identity pages, Service Descriptors etc within the NeuClear framework for commerce.

For an example of a simple signed html page see: http://talk.org/pelletest.html or http://bux.neuclear.org/bux.html

These pages are fully compliant with the XML-Signature Syntax and Processing standard.

The main problems I’ve had with them so far is that the only browsers I’ve been able to get to accept style’s for the xml elements are mozilla and firefox. The actual Signature element in an Enveloped Signature has to be a direct child of the parent element, so it comes within the html tag but not within the body tag. It does work though at the moment.

To do it correctly within xhtml I would really want to place it within the body tag. This is doable in the standard, but only using an xpath transform. I’m not too crazy on those as I believe they could in the future be a source of a bunch of new security holes, so I prefer what I’ve got now.

Creating an Signature on an HTML file

If you would like to try it your self, run the NeuClear Personal Signer with Java Web Start and select “Sign File…” from the File menu. It will allow you to select html and xml files for signing.

Our implementation uses JTidy to convert plain html to xhtml before signing.

Signing in your own code

// First we will load the DefaultSigner
DefaultSigner signer=new DefaultSigner(new SwingAgent());
// Create an InputStream containing html file
InputStream is=new BufferedInputStream(new FileInputStream("MyContract.html"));
// Create the Signature with the given signer
HTMLSignature html=new HTMLSignature(signer,is);
// the PrimaryReferenceElement contains the signed html
System.out.println(sig.getPrimaryReferenceElement().asXML());

For more information on DefaultSigners etc read my last blog entry: Released new Crypto Tools

For more information on using XML Signatures with the NeuClear XMLSig library see our Busy Developers Guide to the NeuClear XMLSig library


Related Entries about Crypto & Security:
Posted by pelleb at April 28, 2004 07:06 PM
This entry was posted in the following Categories: Crypto & Security
Comments
Post a comment
Name:


Email Address:


URL:


Comments:


Remember info?