HackerTrans
TopNewTrendsCommentsPastAskShowJobs

kjetil

no profile record

comments

kjetil
·3년 전·discuss
In the EU (and EEA), eIDAS distinguishes between

- "electronic signatures", which can be any electronic data used to sign, like a drawn signature - "advanced electronic signature" (AdES), usually a type of digital signature (XML-DSig, PDF signature, etc.) - "qualified electronic signature (QES), which is a digital signature created by a certified signature device

QES is legally equivalent to a "wet signature", but in my experience rarely used because of cost. AdES is much more common for high-trust scenarios like loan applications. For low-trust like package delivery, a signature (or smiley) drawn on a touch device will usually do.
kjetil
·4년 전·discuss
There is actually one more way to quit vim. If you only have one window open in vim, Ctrl-W Q will exit.
kjetil
·4년 전·discuss
In practice, though, PAdES has a lot more support and has the crucial property of being easy to view by end-users.

Is there any wide use of ASiC?
kjetil
·4년 전·discuss
The article does not mention passkeys, but they seem destined to be almost all of WebAuthn usage in the future, now that both Apple and Google support them. External FIDO keys will probably remain a niche solution for those with special security needs. But where does that leave the platform authenticator approach? It’s great that you can store the key on-device, but is it really worth it ti not use passkeys instead?
kjetil
·5년 전·discuss
QWACs are for web sites, not users. CAs have to be audited as a TSP in order to issue them and be approved by the member state.
kjetil
·5년 전·discuss
Are the TSP audit requirements less strict than what the browsers’ root programs require?
kjetil
·5년 전·discuss
Not being able to automatically renew certificates seems like a rather minor point in the bigger picture.

I get QWAC goes against the trend of phasing out EV certs. But isn’t the real issue that the browsers don’t trust TSP audits carried out for EU member states?
kjetil
·5년 전·discuss
Identity verification services usually combine document reading with something like a video selfie, which provides 1) a liveness check (you are a real person) and 2) a match against the digital image data that was read.

Is it possible to fool? Like anything it is a trade-off. Acceptable security for an acceptable cost. Hopefully it fulfills your security requirements and you saved a physical visit.