[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't View Certificate)
sleevi at google.com
Fri Aug 28 23:27:01 UTC 2015
On Fri, Aug 28, 2015 at 3:33 PM, Rob Stradling <rob.stradling at comodo.com>
> Perhaps, with your W3C hat on, you know more about Microsoft's plans than
> I do. However, if you don't mind, I'd like to hear from Microsoft about
> whether or not Edge's non-support for certificate enrolment is deliberate.
No W3C hat required - from one of the Microsoft IE/Edge PMs -
If that's the case, then I suppose the simplest solution is for the CA to
> generate the keypair, then issue the cert, and then send a
> password-encrypted PKCS#12 file to the user.
Or you can use WebCrypto to generate a keypair (which is constrained to
that origin), perform whatever proof of possession dance is required (e.g.
signing a CSR; again, using WebCrypto), submiting the CSR to the CA and
URL, which could then be invoked as a download.
The benefit to this is that the CA never need touch the key material. It
could live entirely on the client, avoiding any pesky escrow/generation
concerns. While a CA could, theoretically, access that private key (e.g. by
serving JS that caused WebCrypto to post them the exported private key),
it's no different a threat-model from a CA using a native enrollment
technology to escrow their key.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public