Thank you:
"[…] Unfortunately Thawte's enrollment interface does not work
without Javascript. […]Thawte could silently change the behaviour of the
cert enrollment web
interface. […] to be 100% sure [the private key is not transferred] you have
to check that every time you go through this process."
If this is the final and correct confirmatory response, I thank you very
much.
The questions, as Nelson B Bolyard stated them for Firefox users, who are
not IT experts, but who do want to be "100% sure":
What means do we have to "check the [Javascript cert enrollment interface]
every time [we] go through this process" ?
*With other words (adapted from N. Bolyard):*
"b) Is there any way for a Firefox user to detect that his CA has requested
[the] private key [to be transmitted] ?"
*Possible Answer by Kaspar Band: * "...an "Encryption Key Copy" warning
dialog will be presented".
My personal question: Is this warning dialog really ALWAYS the case ?
"c) When requesting a certificate from a CA, what can a Firefox user do to
prevent [transmission] of the newly generated private key?"
Possible Answer by kaspar Band:
"Not too difficult to achieve, actually. Just add this line to your
prefs.js:[...]
Is this still necessary (as for an average user this is not easy to achieve)
?
Or can I be sure a warning dialog will always be presented by firefox ?
A solution to these last two questions is essential if the user wants to be
100% sure and secure.
Thank you,
2008/12/27 Kaspar Brand <m...@velox.ch>
> Michael Ströder wrote:
> > I'd love to have an option to forbid CRMFRequest calls...
>
> Not too difficult to achieve, actually. Just add this line to your
> prefs.js:
>
> user_pref("capability.policy.default.Crypto.generateCRMFRequest",
> "noAccess");
>
> > I personally don't know whether the current Mozilla implementation of
> > crypto.generateCRMFRequest includes the private key of an encryption
> > cert.
>
> Only if you tell it do so, and only if it's a key-exchange-only key. [1]
> Additionally, an "Encryption Key Copy" warning dialog will be presented
> when key escrow is attempted - try the attached demo. [2]
>
> > But there is some Javascript and the HTML looks like
> > this:
> >
> > <select name="spkac" challenge="tURRaHXxYBDwCk58"><option>2048 (High
> > Grade)</option><option>1024 (Medium Grade)</option></select>
>
> What browser were you using in this case, and for what certificate
> were you applying? I still see <keygen> elements when enrolling
> for a new Thawte Freemail certificate with Firefox or Seamonkey
> (note that when saving an HTML page with the "Web Page, complete"
> option, the keygen tag is converted into a <select> element,
> so maybe that explains the effect you're seeing).
>
> Kaspar
>
> [1] https://developer.mozilla.org/en/GenerateCRMFRequest
>
> [2] Caveat: may leave you (or your cert DB, more precisely) with
> a lot of orphan keys, if used generously - i.e. it's probably better
> to use it with a separate profile.
>
> Create CRMF request *with* escrow Create CRMF request w/o escrow
>
>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
