[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't View Certificate)

Ryan Sleevi sleevi at google.com
Tue Sep 1 16:49:59 UTC 2015

On Tue, Sep 1, 2015 at 2:11 AM, Rob Stradling <rob.stradling at comodo.com>

> That's all great, but what I'm interested in right now is what is
> *currently* supposed to be supported w.r.t. certificate enrolment in
> Microsoft's browsers.  (That post says nothing about IE, Edge or
> CertEnroll).

As of Edge, no enrollment is directly supported by the browser.
ActiveX (therefore CertEnroll and XEnroll) was removed from Edge.
<keygen> is not supported by Edge.

I can understand Jody's delays - multiple tweets to @MSEdgeDev and
@jacobrossi and @frankoliver on the matter have gone unanswered, but the
evidence remains :)

But would it support generating keypairs "in a FIPS 140-2 level 2 (or
> equivalent) crypto module", as required for EV Code Signing certs?

<keygen> itself has never explicitly supported that.
Chrome intentionally never will support that.

Only Firefox's implementation gave end users the choice of security module
to use (e.g. software, hardware). However, <keygen> with virtually very
COTS smart card would not work (due to vendor-specific provisioning
schemes), so it only ever worked with FF with PKCS#15 cards, which are also
virtually non-existent except in niche open-source communities.

So I mean, even under today's/yesterday's regime, <keygen> didn't offer
suitable control to allow a CA to generate such an EV Code Signing cert
with the necessary assurances.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150901/bff3e9a6/attachment-0003.html>

More information about the Public mailing list