Sign data in ASPX on client side

Question

In my application, the client must sign (using a certificate) and send data to the server. My doubt is how should I do it?

To sign on the client side, I should use ActiveX right? My problem is that firefox doesn't support it. Signing on the server side I have two options:

1. Save the private key on the server and use it when necessary (if the data is modified during the transaction it will sign false data)
2. Send the private key when necessary (may comprise the key)

Despite using SSL, I'm not very confortable with any of the two options for signing on the server side... Using ActiveX may cause my application more vulnerable, right?

Hope you can help me :)

Answer 1

There's no single solution for client-side signing in all browsers, unfortunately. We are currently working on distributed signature components for our SecureBlackbox product, and we've created Java applet, ActiveX control and Flex script to perform signing. However, all variants have shortcomings. For example, only ActiveX control can access windows certificate store. With other module types the user would need to load the certificate from PFX (PKCS#12) file.

Uploading and signing on the server won't work because the private key is not always exportable on the client (it can reside on cryptotoken or smartcard, or just be non-exportable), and also this approach makes the whole process useless as it significantly lowers security.

Update: SecureBlackbox 9 is in public beta now, with support for client-side signing (we provide ActiveX, Java and Flash modules for this).