Nelson B Bolyard wrote:
Michael Ströder wrote, On 2008-07-25 06:13:
Nelson B Bolyard wrote:
I suggest you look at
http://developer.mozilla.org/en/docs/NSS_Certificate_Download_Specification
for ideas on importing certs.
I wonder why Mozilla doesn't support application/pkix-cert and
application/pkix-crl specified in http://www.rfc-editor.org/rfc/rfc2585.txt
It's a matter of PSM and UI design issues.
All issues with MIME content types are decided in the browser, not in NSS.
Ok. But I'd really appreciate if all browsers would handle the same MIME
types for certs. In web2ldap I have code which detects the browser and
sends different MIME types. This might be feasible in web applications
but it's not on simple web pages.
At cert download time, there are various decisions we might ask the user to
make, depending on the type of cert being downloaded. For example, when
downloading a CA cert, it is appropriate to ask the user to make trust
decisions about the cert. The user would be expected to make different
decisions or take different actions for
- his own personal user certs, vs
- certs for other servers or other email correspondents, vs
- CAs.
Having implemented things like that in (outdated) http://pyca.de at the
time of Netscape Comm. 4.x I know all these use-cases.
It's often not easy to tell which of those roles is appropriate for a cert
being downloaded. The MIME content type gives the browser a big clue about
which of those 3 categories encompass the downloaded cert.
I agree that RFC 2585 is not ideal for that. But it's the only
vendor-independent standard I know of.
Without those
clues, the UI would need to ask the user more questions, and these are the
types of questions that users are very likely to completely fail to
understand.
I hate to say but Windows' certificate import wizard does a good job
guessing what should be done (different types of key stores).
One could leave out the use-case for installing a cert for an
accompanying private key (a personal cert) because the whole enrollment
process itself is highly browser-dependent.
But for importing public-key certs the browser could guess what to do
(e.g. by looking whether a cert is self-signed or checking
basicConstraints extension).
The bottom line is: supporting a MIME content type that says nothing about
the way in which the cert will be used will require additional PSM UI work
and the browser's UI czars aren't motivated to do it.
Hmm...
Ciao, Michael.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto