[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't View Certificate)

Jody Cloutier jodycl at microsoft.com
Tue Sep 1 17:54:56 UTC 2015


Update: We do not yet have an official position on this, and we are still evaluating our position.

From: Jody Cloutier
Sent: Monday, August 31, 2015 10:34 AM
To: 'Ryan Sleevi' <sleevi at google.com>; Rob Stradling <rob.stradling at comodo.com>
Cc: public at cabforum.org; Dean Coclin <Dean_Coclin at symantec.com>; Rick Andrews <Rick_Andrews at symantec.com>
Subject: RE: Browsers & Enrollment (was Re: [cabfpub] Edge Browser Can't View Certificate)

I’m still investigating the current status of Edge. The person that I needed to talk to was out of the office last week.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, August 28, 2015 4:27 PM
To: Rob Stradling <rob.stradling at comodo.com<mailto:rob.stradling at comodo.com>>
Cc: Jody Cloutier <jodycl at microsoft.com<mailto:jodycl at microsoft.com>>; public at cabforum.org<mailto:public at cabforum.org>; Dean Coclin <Dean_Coclin at symantec.com<mailto:Dean_Coclin at symantec.com>>; Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>
Subject: Re: Browsers & Enrollment (was Re: [cabfpub] Edge Browser Can't View Certificate)



On Fri, Aug 28, 2015 at 3:33 PM, Rob Stradling <rob.stradling at comodo.com<mailto:rob.stradling at comodo.com>> wrote:
Perhaps, with your W3C hat on, you know more about Microsoft's plans than I do.  However, if you don't mind, I'd like to hear from Microsoft about whether or not Edge's non-support for certificate enrolment is deliberate.

No W3C hat required - from one of the Microsoft IE/Edge PMs - https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/UdqJdDsFAgAJ

If that's the case, then I suppose the simplest solution is for the CA to generate the keypair, then issue the cert, and then send a password-encrypted PKCS#12 file to the user.

Or you can use WebCrypto to generate a keypair (which is constrained to that origin), perform whatever proof of possession dance is required (e.g. signing a CSR; again, using WebCrypto), submiting the CSR to the CA and using WebCrypto to 'export' the key from JavaScript into a PKCS#12 blob URL, which could then be invoked as a download.

The benefit to this is that the CA never need touch the key material. It could live entirely on the client, avoiding any pesky escrow/generation concerns. While a CA could, theoretically, access that private key (e.g. by serving JS that caused WebCrypto to post them the exported private key), it's no different a threat-model from a CA using a native enrollment technology to escrow their key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150901/634e1d8f/attachment-0003.html>


More information about the Public mailing list