System and method for using a portable security device to cryptograhically sign a document in response to signature requests from a relying party to a digital signature service

We claim: 1. A method for operating a digital signature server, a host computer, and a smart card connected to the host computer, to obtain a digital signature on a data item, comprising: establishing a network connection between a web browser instance on the host computer and a relying party server over a computer network; receiving, at the digital signature server, a signature request from the relying party via the communication with a web browser instance on the host computer, wherein the request, which is transmitted from the relying party to the digital signature server over a network connection between the web browser instance and the digital signature server via the web browser instance of the host computer, requests the digital signature server to digitally sign the data item on behalf of a user of a web service of the relying party; in response to receiving the signature request: transmitting the data item to be signed from the digital signature server to the web browser instance over the network with an indication to operate the smart card to sign the data item; and forwarding the data item to be signed from the web browser instance executing on the host computer to the smart card for signature; receiving the signature at the digital signature server from the smart card via the host computer over the network connection between the web browser instance and the digital signature server; and upon receiving the signature at the digital signature server from the smart card via the host computer, transmitting the signature from the digital signature server to the relying party via the web browser instance over the network. 2. The method of claim 1 wherein the step of transmitting the data item to be signed from the digital signature server comprises transmitting the data to be signed together with the instructions to cause the web browser instance to obtain the signature from a smart card connected to the host computer and instructions to cause the smart card to transmit the signature back to the digital signature server. 3. The method of claim 1 or 2 wherein the step of receiving, at the digital signature server, a signature request from a relying party comprises receiving by the digital signature server the signature request in a first transport binding that enables the digital signature server to respond to the browser interacting with the relying party. 4. The method of claim 3 wherein the step of transmitting the signature from the digital signature server comprises transmitting the signature to the relying party via the web browser instance executing on the host computer using a second transport binding that causes a redirection of the response in the web browser instance to the relying party. 5. The method of claim 4 wherein the first transport binding is the same as the second transport binding. 6. The method of claim 4 wherein the first transport binding is different from the second transport binding. 7. A system for providing digital signature service using a private key comprising: a portable security device connected to a host computer; and a digital signature server connected to the host computer over a network and operable to: receive a digital signature request from a relying party over the network via a web browser instance executing on the host computer wherein the digital signature request is transmitted to the web browser instance from a relying party over the network, and wherein the request, which is transmitted over the network from the relying party to the digital signature server via the web browser instance of the host computer, requests the digital signature server to digitally sign the data item on behalf of a user of a web service of the relying party; in response to receiving the digital signature request, securely transmitting data to be signed from the digital signature server to the web browser instance executing on the host computer over the network with an indication to operate the portable security device to sign the data; forwarding the data to be signed from the web browser instance executing on the host computer to the portable security device for signature; the portable security device operable to: digitally sign the data using a user private key stored on the portable security device; transmit the digital signature from the portable security device to the digital signature server over the network via the web browser instance executing on the host computer; and wherein the digital signature server is further operable to: transmit the digital signature from the digital signature server to the relying party over the network via the web browser instance executing on the host computer. 8. The system for providing digital signature service using a private key of claim 7 wherein the portable security device is further operable to authenticate the user prior to signing the data and to only digitally sign the data in response to successful authentication of the user. 9. The system for providing digital signature service using a private key of claim 7 , wherein the relying party is configured to transmit the signature request message to the digital signature server over a first transport binding protocol, wherein the digital signature server if configured to transmit the signature to the relying party over a second transport binding protocol, and wherein the first transport binding protocol is the same as the second transport binding protocol. 10. The system for providing digital signature service using a private key of claim 7 , wherein the relying party is configured to transmit the signature request message to the digital signature server over a first transport binding protocol, wherein the digital signature server if configured to transmit the signature to the relying party over a second transport binding protocol, and wherein the first transport binding protocol is not the same as the second transport binding protocol.