[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't ViewCertificate)

Thu Sep 3 02:04:06 MST 2015

OK.  Thanks Jody.

On 02/09/15 21:55, Jody Cloutier wrote:
> According to what I can find, right now the only way to enroll a certificate for Edge is to use IE. We have not planned what our next releases will hold, so we just don’t have any information about when/if we are going to address this in future versions of Windows/Edge. 
> 
> -----Original Message-----
> From: Rob Stradling [mailto:rob.stradling at comodo.com] 
> Sent: Wednesday, September 2, 2015 2:16 AM
> To: Ryan Sleevi <sleevi at google.com>
> Cc: Jody Cloutier <jodycl at microsoft.com>; public at cabforum.org; Dean Coclin <Dean_Coclin at symantec.com>; Rick Andrews <Rick_Andrews at symantec.com>
> Subject: Re: Browsers & Enrollment (was Re: [cabfpub] Edge Browser Can't View Certificate)
> 
> On 01/09/15 17:49, Ryan Sleevi wrote:
>> On Tue, Sep 1, 2015 at 2:11 AM, Rob Stradling 
>> <rob.stradling at comodo.com <mailto:rob.stradling at comodo.com>> wrote:
>>
>>     That's all great, but what I'm interested in right now is what is
>>     *currently* supposed to be supported w.r.t. certificate enrolment in
>>     Microsoft's browsers.  (That post says nothing about IE, Edge or
>>     CertEnroll).
>>
>>
>> As of Edge, no enrollment is directly supported by the browser.
>> ActiveX (therefore CertEnroll and XEnroll) was removed from Edge.
>> <keygen> is not supported by Edge.
>>
>> I can understand Jody's delays - multiple tweets to @MSEdgeDev and 
>> @jacobrossi and @frankoliver on the matter have gone unanswered, but 
>> the evidence remains :)
> 
> Ryan, I don't dispute that CertEnroll doesn't work in Edge right now.
> 
> What I want to know is:
> Are Microsoft planning to do anything about that?
> 
> There seems little point in CAs attempting to engineer alternative non-browser-based solutions if (for example) Microsoft might do a U-turn and add ActiveX support to Edge.
> 
> Given that Microsoft's platform is arguably the primary user of EV and non-EV Code Signing Certificates, ISTM that Microsoft might just possibly like the idea that it should be a) possible and b) relatively easy for software developers to obtain (EV) code signing certs from CAs!
> 
> Frankly, it baffles me that Microsoft are simultaneously a) pushing for increased use of EV Code Signing Certificates for Win10 and b) making it harder to obtain EV Code Signing Certificates using Win10.
> 
>>     But would it support generating keypairs "in a FIPS 140-2 level 2
>>     (or equivalent) crypto module", as required for EV Code Signing certs?
>>
>> <keygen> itself has never explicitly supported that.
>> Chrome intentionally never will support that.
> 
> Sure.  But CertEnroll does/did.
> 
>> Only Firefox's implementation gave end users the choice of security 
>> module to use (e.g. software, hardware). However, <keygen> with 
>> virtually very COTS smart card would not work (due to vendor-specific 
>> provisioning schemes), so it only ever worked with FF with PKCS#15 
>> cards, which are also virtually non-existent except in niche 
>> open-source communities.
>>
>> So I mean, even under today's/yesterday's regime, <keygen> didn't 
>> offer suitable control to allow a CA to generate such an EV Code 
>> Signing cert with the necessary assurances.
> 
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> 

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
  3rd Floor, 26 Office Village, Exchange Quay,
  Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed.  If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.