Anders Rundgren wrote: > I believe Mozilla will regret support for <keygen> standardization because > few will like the quite delayed end-result since it still won't [*] > support serious users of PKI who want to deal with policy as well. > Policy means "container quality", PINs etc.
If you have special needs for enforcing things at the client-side just implement an custom enrollment applet in Java for your custom CA. BTW: The CA MUST check the cert request anyway and MUST reject cert requests not complying to the policy (wrong naming, short keys, etc.). The CA SHOULD inform the user why the cert request was rejected giving advice to the user how to do it correct. > For non-serious usage <keygen> is OK as it is :-) Whatever serious means for you. E.g. I'm seriously using encrypted e-mail. I'm fine with choosing my own key container. So <keygen> tag is a serious solution in situations where the non-corporate skilled user is free to choose what he wants. > JavaScript is effectively the client-side programming language of the web > making it rather pointless downplaying a JavaScript solution. Javascript is one of the major attack vectors when attacking web apps and/or browsers. Personally I prefer a key enrollment interface running without it (Javascript disabled in the browser). Ciao, Michael. -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
