[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't View Certificate)
Ryan Sleevi
sleevi at google.com
Fri Aug 28 23:27:01 UTC 2015
On Fri, Aug 28, 2015 at 3:33 PM, Rob Stradling <rob.stradling at comodo.com>
wrote:
> Perhaps, with your W3C hat on, you know more about Microsoft's plans than
> I do. However, if you don't mind, I'd like to hear from Microsoft about
> whether or not Edge's non-support for certificate enrolment is deliberate.
No W3C hat required - from one of the Microsoft IE/Edge PMs -
https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/UdqJdDsFAgAJ
If that's the case, then I suppose the simplest solution is for the CA to
> generate the keypair, then issue the cert, and then send a
> password-encrypted PKCS#12 file to the user.
Or you can use WebCrypto to generate a keypair (which is constrained to
that origin), perform whatever proof of possession dance is required (e.g.
signing a CSR; again, using WebCrypto), submiting the CSR to the CA and
using WebCrypto to 'export' the key from JavaScript into a PKCS#12 blob
URL, which could then be invoked as a download.
The benefit to this is that the CA never need touch the key material. It
could live entirely on the client, avoiding any pesky escrow/generation
concerns. While a CA could, theoretically, access that private key (e.g. by
serving JS that caused WebCrypto to post them the exported private key),
it's no different a threat-model from a CA using a native enrollment
technology to escrow their key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150828/0e557e97/attachment-0003.html>
More information about the Public
mailing list