Digital Signatures with JavaScript

Several years ago I used to work on a project that required the use of smart cards and digital signatures. I’ve already shared my experience with signing with javascript and then verifying the signature on the server side (with Java).

What I did today is to simply get the javascript, tidy it up and put it on GitHub (js-signer), so that people don’t need to copy-paste from a blogpost, and also to be able to update the project whenever there are new developments (for example Chrome and Safari implement DOMCrypt)

What are the use-cases of that? Electronic identification most often makes use of smart cards. And so software that requires to identify a citizen securely (most often banking or government software) and let him perform some actions online, needs to read the smartcards certificate details and to digitally sign content – e.g. you digitally sign your bank transfer, or you sign your request for a government service.

There are several ways to do that – e.g. Java Applet (like this one) or a custom-made ActiveX control. And while the applet and ActiveX is fine for internal use in organizations, where you can be sure that there’s Java installed or that everyone is using IE, these solutions are not so great for the mass public, because making the user install something is a bad user experience, and luckily not everyone is using IE. So a javascript solution must exist. Of course, the preconditions are, that the user has a digital signature, issued by a CA, and has followed the CA’s manual for installing the certificate in a browser. If these steps are not completed successfully, js-signer wouldn’t work.

Unfortunately, there’s no unified javascript solution. IE comes with CAPICOM, and Firefox has window.crypto. Safari and Chrome are waiting for a standard from W3C (DOMCrypt) before they implement window.crypto. That’s why js-signer currently supports only IE and FF, and the UX is a bit different with them.

I hope that more governments will go for electronic governance and use digital IDs (note: with the so called “anonymous credentials”, in order to ensure the privacy of citizens), and that browsers will follow and make it possible to handle smartcards without any hassle and without the need for 3rd party software.