[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can'tViewCertificate)

[Phillip Hallam-Baker]

On Sep 3, 2015, at 12:55 PM, Gervase Markham <gerv at mozilla.org> wrote:

> On 03/09/15 15:10, Robin Alden wrote:
>> Hi Gerv, I thought NSS had its own certificate store.
>> 
>> How should we get a certificate into a user's NSS certificate store
>> so that it could be used for SSL client authentication within FireFox
>> or as an S/MIME certificate in Thunderbird unless Mozilla provide a
>> means to do so?
> 
> Our engineers suggest a Firefox add-on, something like this:
> https://github.com/mozmark/OrgCA
> The code at that link is a PoC for enterprises, but one could imagine a
> version from a CA.


This seems exactly the worst possible outcome. Plug ins are a nightmare to maintain. And any user experience which begins ‘download a plug in’ is going to lose a lot of users at the start.

The objective of moving the functionality out of the browser makes sense. Moving it back in again via a plug in does not. What is needed is a separate tool that can manage enroll for and manage certificates and other PKI related material and an API for moving the needed PKI material into the programs that require it.

I have such an application for Windows Live Mail. (Windows 10 mail is not yet finished and it isn’t clear if S/MIME is even supported). I did try to write an integration module for Thunderbird but the documentation for the API is incomplete and the information that exists is simply wrong.


At any rate. Someone needs to build the new bridge before you knock down the old one.