[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't View Certificate)
jodycl at microsoft.com
Tue Sep 1 17:54:56 UTC 2015
Update: We do not yet have an official position on this, and we are still evaluating our position.
From: Jody Cloutier
Sent: Monday, August 31, 2015 10:34 AM
To: 'Ryan Sleevi' <sleevi at google.com>; Rob Stradling <rob.stradling at comodo.com>
Cc: public at cabforum.org; Dean Coclin <Dean_Coclin at symantec.com>; Rick Andrews <Rick_Andrews at symantec.com>
Subject: RE: Browsers & Enrollment (was Re: [cabfpub] Edge Browser Can't View Certificate)
I’m still investigating the current status of Edge. The person that I needed to talk to was out of the office last week.
From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, August 28, 2015 4:27 PM
To: Rob Stradling <rob.stradling at comodo.com<mailto:rob.stradling at comodo.com>>
Cc: Jody Cloutier <jodycl at microsoft.com<mailto:jodycl at microsoft.com>>; public at cabforum.org<mailto:public at cabforum.org>; Dean Coclin <Dean_Coclin at symantec.com<mailto:Dean_Coclin at symantec.com>>; Rick Andrews <Rick_Andrews at symantec.com<mailto:Rick_Andrews at symantec.com>>
Subject: Re: Browsers & Enrollment (was Re: [cabfpub] Edge Browser Can't View Certificate)
On Fri, Aug 28, 2015 at 3:33 PM, Rob Stradling <rob.stradling at comodo.com<mailto:rob.stradling at comodo.com>> wrote:
Perhaps, with your W3C hat on, you know more about Microsoft's plans than I do. However, if you don't mind, I'd like to hear from Microsoft about whether or not Edge's non-support for certificate enrolment is deliberate.
No W3C hat required - from one of the Microsoft IE/Edge PMs - https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/UdqJdDsFAgAJ
If that's the case, then I suppose the simplest solution is for the CA to generate the keypair, then issue the cert, and then send a password-encrypted PKCS#12 file to the user.
The benefit to this is that the CA never need touch the key material. It could live entirely on the client, avoiding any pesky escrow/generation concerns. While a CA could, theoretically, access that private key (e.g. by serving JS that caused WebCrypto to post them the exported private key), it's no different a threat-model from a CA using a native enrollment technology to escrow their key.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public