Hi, sorry for warming up this topic, I've just been pointed here.
Am Donnerstag, 30. Juli 2015 01:35:49 UTC+2 schrieb David Keeler: > Ryan Sleevi recently announced the pre-intention to deprecate and > eventually remove support for the <keygen> element and special-case > handling of the application/x-x509-*-cert MIME types from the blink > platform (i.e. Chrome). [...] > I therefore propose we follow suit and begin the process of deprecating > and removing these features. The intention of this post is to begin a > discussion to determine the feasibility of doing so. A common setup I build for small companies and organizations uses a simple local CA and a web page containing a form with a <keygen> and a password. Enrollment works by 1. Phone call or physical presence of applicant, CA administrator authenticates applicant. 2. Administrator starts enrollment process, one time password in generated and given to applicant 3. Applicant uses the <keygen> and the one time password to send a signing request to the CA server 4. CA server replies with new client certificate For simple setups, this is a really easy way to deploy certificates -- really, the hardest part is copying the certificate from Firefox to Thunderbird if it is to be used for SMTP relay authentication as well. Removing <keygen> obviously breaks this workflow, but I think it can be replaced with JavaScript -- this adds an extra step for organizations that do not enable JS by default, but I think that would be manageable. In any case, however the key store would still need to be able to store keys that are not associated with a certificate yet, or we're losing key generation capability completely (well, theoretically we could generate keys in JS and keep the private key material in DOM storage until the certificate is ready, but I doubt anyone wants that). Is there still an API left that allows me to easily deploy client certificates in such a setting? Simon
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform