Immagine a web application written in python/django in which users authenticate with digital certificates via apache+mod_ssl (and a custom django authentication backend), how can they sign files then? The certificates are released by government approved CAs.
If I’m not wrong, a file needs to be signed with the private key of a certificate, because that is the proof that the file has been really signed by someone (and not someone-else pretending to be someone).
How can a web application have access to the private key of a certificate stored in the browser of the user?
Is this possible without the need of a software running on the user’s machine?
EDIT:
So this can be done either with an ActiveX control or a Java applet, right? Does this need to be developed from scratch or does anybody know an open source solution?
You are correct in that the web application requires access to the private key on the user’s local computer or PKI store. I developed such a solution for a web application on the USAF network.
Users logon to USAF computer with their CAC Card containing their PKI credentials and private key. In our solution, we needed to digitally sign PDF documents generated by our web application. We built an ActiveX control that would download the PDF document from the web site via a web service, digitally sign the PDF locally, and then transmit the signed PDF document back to the web site.
Since the signature authority of these documents was such a limited audience, we were able to get authorization for the use of the ActiveX control. You are heading down the right path as only a locally authorized application will have access to the user’s key store.