[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't View Certificate)

Rob Stradling rob.stradling at comodo.com
Fri Aug 28 22:33:19 UTC 2015

On 27/08/15 23:52, Ryan Sleevi wrote:
> Rob,

Hi Ryan.

> I think it's reasonable to suggest that browsers are getting _out_ of
> the Enrollment game.
> In Blink, I'm in the process of deprecating the <keygen> implementation:
> https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/kmHsyMGJZAMJ

Yes, I'd seen that.  And I'm sure you're aware that it's not universally 

> This follows our existing deprecation of NPAPI (aka plugins) -
> https://www.chromium.org/developers/npapi-deprecation
> Similarly, Mozilla is examining removal of <keygen> support -
> https://groups.google.com/d/msg/mozilla.dev.platform/pAUG2VQ6xfQ/FKX63BwOIwAJ
> - after having removed .signText and .generateCRMFRequest -
> https://wiki.mozilla.org/SecurityEngineering/Removing_Proprietary_window.crypto_Functions

Yes, I'd seen that too.  Richard Barnes wrote:
"The point has been made a couple of times that you can pretty 
effectively polyfill <keygen> with either WebCrypto or JS crypto 
libraries.  You can do the whole key generation and enrollment process 
that way, and the only manual step is to download the cert and import it 
into the browser.  Do it with JS, and you can support far more browsers 
than <keygen> supports today."

I don't see how that would get the JS-generated private key imported 
into wherever the user needs it to be.

> As you may or may not be aware, IE and Edge have never supported the
> <keygen> tag, instead with IE supporting ActiveX plugins (CertEnroll /
> XEnroll), and Edge supporting neither.

I'm very aware that Microsoft has never supported <keygen>.

Perhaps, with your W3C hat on, you know more about Microsoft's plans 
than I do.  However, if you don't mind, I'd like to hear from Microsoft 
about whether or not Edge's non-support for certificate enrolment is 

> If you were to read the tealeaves for the past two years, you would see
> that the idea of using Browsers as a delivery mechanism for making
> system-wide changes is on the way out - and this includes key enrollment
> and management.
> Long-term, CAs should look outside browsers, period, for the means to
> handle certificate enrollment.

If that's the case, then I suppose the simplest solution is for the CA 
to generate the keypair, then issue the cert, and then send a 
password-encrypted PKCS#12 file to the user.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list