Thank you: "[…] Unfortunately Thawte's enrollment interface does not work without Javascript. […]Thawte could silently change the behaviour of the cert enrollment web interface. […] to be 100% sure [the private key is not transferred] you have to check that every time you go through this process."
If this is the final and correct confirmatory response, I thank you very much. The questions, as Nelson B Bolyard stated them for Firefox users, who are not IT experts, but who do want to be "100% sure": What means do we have to "check the [Javascript cert enrollment interface] every time [we] go through this process" ? *With other words (adapted from N. Bolyard):* "b) Is there any way for a Firefox user to detect that his CA has requested [the] private key [to be transmitted] ?" *Possible Answer by Kaspar Band: * "...an "Encryption Key Copy" warning dialog will be presented". My personal question: Is this warning dialog really ALWAYS the case ? "c) When requesting a certificate from a CA, what can a Firefox user do to prevent [transmission] of the newly generated private key?" Possible Answer by kaspar Band: "Not too difficult to achieve, actually. Just add this line to your prefs.js:[...] Is this still necessary (as for an average user this is not easy to achieve) ? Or can I be sure a warning dialog will always be presented by firefox ? A solution to these last two questions is essential if the user wants to be 100% sure and secure. Thank you, 2008/12/27 Kaspar Brand <m...@velox.ch> > Michael Ströder wrote: > > I'd love to have an option to forbid CRMFRequest calls... > > Not too difficult to achieve, actually. Just add this line to your > prefs.js: > > user_pref("capability.policy.default.Crypto.generateCRMFRequest", > "noAccess"); > > > I personally don't know whether the current Mozilla implementation of > > crypto.generateCRMFRequest includes the private key of an encryption > > cert. > > Only if you tell it do so, and only if it's a key-exchange-only key. [1] > Additionally, an "Encryption Key Copy" warning dialog will be presented > when key escrow is attempted - try the attached demo. [2] > > > But there is some Javascript and the HTML looks like > > this: > > > > <select name="spkac" challenge="tURRaHXxYBDwCk58"><option>2048 (High > > Grade)</option><option>1024 (Medium Grade)</option></select> > > What browser were you using in this case, and for what certificate > were you applying? I still see <keygen> elements when enrolling > for a new Thawte Freemail certificate with Firefox or Seamonkey > (note that when saving an HTML page with the "Web Page, complete" > option, the keygen tag is converted into a <select> element, > so maybe that explains the effect you're seeing). > > Kaspar > > [1] https://developer.mozilla.org/en/GenerateCRMFRequest > > [2] Caveat: may leave you (or your cert DB, more precisely) with > a lot of orphan keys, if used generously - i.e. it's probably better > to use it with a separate profile. > > Create CRMF request *with* escrow Create CRMF request w/o escrow > > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > >
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto