[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't View Certificate)

Ryan Sleevi sleevi at google.com
Thu Aug 27 22:52:34 UTC 2015

On Thu, Aug 27, 2015 at 1:24 PM, Rob Stradling <rob.stradling at comodo.com>

> Hi Jody.  Another "gap" I've noticed with Edge is that, with ActiveX no
> longer supported, certificate enrolment using CertEnroll no longer works.
> This means that Edge can't be used to obtain Code Signing Certificates
> or S/MIME Certificates from many (if not most or even all) CAs.
> Do you have any plans to plug this gap?
> (Or is the long-term plan simply that CAs should recommend the use of a
> different browser?)
> Or, can you point me in the direction of some alternative certificate
> enrolment technology that Edge does already support?
> Thanks.


I think it's reasonable to suggest that browsers are getting _out_ of the
Enrollment game.

In Blink, I'm in the process of deprecating the <keygen> implementation:

This follows our existing deprecation of NPAPI (aka plugins) -

Similarly, Mozilla is examining removal of <keygen> support -
- after having removed .signText and .generateCRMFRequest -

As you may or may not be aware, IE and Edge have never supported the
<keygen> tag, instead with IE supporting ActiveX plugins (CertEnroll /
XEnroll), and Edge supporting neither.

If you were to read the tealeaves for the past two years, you would see
that the idea of using Browsers as a delivery mechanism for making
system-wide changes is on the way out - and this includes key enrollment
and management.

Long-term, CAs should look outside browsers, period, for the means to
handle certificate enrollment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150827/2fd5dbfb/attachment-0002.html>

More information about the Public mailing list