[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't ViewCertificate)

Rob Stradling rob.stradling at comodo.com
Tue Sep 1 01:27:50 MST 2015


Thanks Jody.

On 31/08/15 18:34, Jody Cloutier wrote:
> I’m still investigating the current status of Edge. The person that I
> needed to talk to was out of the office last week.
>
> *From:*Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Friday, August 28, 2015 4:27 PM
> *To:* Rob Stradling <rob.stradling at comodo.com>
> *Cc:* Jody Cloutier <jodycl at microsoft.com>; public at cabforum.org; Dean
> Coclin <Dean_Coclin at symantec.com>; Rick Andrews <Rick_Andrews at symantec.com>
> *Subject:* Re: Browsers & Enrollment (was Re: [cabfpub] Edge Browser
> Can't View Certificate)
>
> On Fri, Aug 28, 2015 at 3:33 PM, Rob Stradling <rob.stradling at comodo.com
> <mailto:rob.stradling at comodo.com>> wrote:
>
>     Perhaps, with your W3C hat on, you know more about Microsoft's plans
>     than I do.  However, if you don't mind, I'd like to hear from
>     Microsoft about whether or not Edge's non-support for certificate
>     enrolment is deliberate.
>
> No W3C hat required - from one of the Microsoft IE/Edge PMs -
> https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/UdqJdDsFAgAJ
>
>     If that's the case, then I suppose the simplest solution is for the
>     CA to generate the keypair, then issue the cert, and then send a
>     password-encrypted PKCS#12 file to the user.
>
> Or you can use WebCrypto to generate a keypair (which is constrained to
> that origin), perform whatever proof of possession dance is required
> (e.g. signing a CSR; again, using WebCrypto), submiting the CSR to the
> CA and using WebCrypto to 'export' the key from JavaScript into a
> PKCS#12 blob URL, which could then be invoked as a download.
>
> The benefit to this is that the CA never need touch the key material. It
> could live entirely on the client, avoiding any pesky escrow/generation
> concerns. While a CA could, theoretically, access that private key (e.g.
> by serving JS that caused WebCrypto to post them the exported private
> key), it's no different a threat-model from a CA using a native
> enrollment technology to escrow their key.
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list