[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't View Certificate)

Ryan Sleevi sleevi at google.com
Thu Aug 27 22:52:34 UTC 2015


On Thu, Aug 27, 2015 at 1:24 PM, Rob Stradling <rob.stradling at comodo.com>
wrote:

> Hi Jody.  Another "gap" I've noticed with Edge is that, with ActiveX no
> longer supported, certificate enrolment using CertEnroll no longer works.
>
> This means that Edge can't be used to obtain Code Signing Certificates
> or S/MIME Certificates from many (if not most or even all) CAs.
>
> Do you have any plans to plug this gap?
> (Or is the long-term plan simply that CAs should recommend the use of a
> different browser?)
>
> Or, can you point me in the direction of some alternative certificate
> enrolment technology that Edge does already support?
>
> Thanks.
>

Rob,

I think it's reasonable to suggest that browsers are getting _out_ of the
Enrollment game.

In Blink, I'm in the process of deprecating the <keygen> implementation:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/kmHsyMGJZAMJ

This follows our existing deprecation of NPAPI (aka plugins) -
https://www.chromium.org/developers/npapi-deprecation

Similarly, Mozilla is examining removal of <keygen> support -
https://groups.google.com/d/msg/mozilla.dev.platform/pAUG2VQ6xfQ/FKX63BwOIwAJ
- after having removed .signText and .generateCRMFRequest -
https://wiki.mozilla.org/SecurityEngineering/Removing_Proprietary_window.crypto_Functions

As you may or may not be aware, IE and Edge have never supported the
<keygen> tag, instead with IE supporting ActiveX plugins (CertEnroll /
XEnroll), and Edge supporting neither.

If you were to read the tealeaves for the past two years, you would see
that the idea of using Browsers as a delivery mechanism for making
system-wide changes is on the way out - and this includes key enrollment
and management.

Long-term, CAs should look outside browsers, period, for the means to
handle certificate enrollment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150827/2fd5dbfb/attachment-0002.html>


More information about the Public mailing list