Hi Subrata, Although I find your extension interesting, I think that the on-line stuff is nowhere ready. KeyGen, generateCRMFrequest, and Xenroll have severe limitations which have made most large PKIs in the EU use home-brewed PKI provisioning solutions. I am trying to create a standard for this. It will be built on XML rather than ASN.1.
Here comes something related: ----- Original Message ----- From: "Anders Rundgren" <[EMAIL PROTECTED]> To: <ietf-pkix@imc.org> Sent: Saturday, March 31, 2007 08:32 Subject: netscape-cert-renewal-url & beyond Although the "netscape-cert-renewal-url" certificate extension does not appear to be incorporated in any PKIX RFC, it is anyway documented in vendor specs like: http://msdn2.microsoft.com/en-us/library/aa378149.aspx I have two open questions regarding this particular extension: 1. Is it supported by any PKI-clients and if so which ones? 2. If it is not already supported on major scale wouldn't it be worthwhile supporting such a facility? My personal experience with certificates (I have had numerous), is that they tend to silently expire, leaving you high and dry and concluding that "passwords are better". When you have to "renew" from scratch you are thrown into laborious processes which can take weeks to perform. If you have certificate and key in a connected device like a web-server or mobile phone, you could very well create something like we already have with Windows update, JRE update, Adobe update, where the user in some instances only would have to issue a PIN in order to get a credential update. For commercial certificates the process would be slightly more complex but of course an auto-renewal-process must support this use-case as well. I do not propose making the Netscape extension a PKIX standard but rather start discussing the road to a better support of credential life-cycles. Comments? Anders Rundgren ----- Original Message ----- From: "Subrata Mazumdar" <[EMAIL PROTECTED]> Newsgroups: mozilla.dev.tech.crypto To: <dev-tech-crypto@lists.mozilla.org> Sent: Friday, March 30, 2007 14:16 Subject: Re: Announcement: Firefox Extension for Key Generation and CertificateEnrollment Here is a follow-up to the original message: - I forgot tomention, the "KeyManager" extension only works on Windows and Linux. If there is interest, I may be able to create a version for SUN-Solaris. - addson.mozilla.org changed their policy - the extension is now publicly available. You do not have to regsiter to download the extension. Here is direct the URL for the extension page: https://addons.mozilla.org/en-US/firefox/addon/4471 Still, please write review if you use the extension and give comments using the discussion link on the extension page. - if you are not really keen on learning Mozilla-NSS command line utilities, such as certutil, pk12util, signtool etc., if you can use this extension to do the same tasks. It presents XUL based forms for various parameters. - Thanks, -- Subrata Subrata Mazumdar wrote: > Hi, > I would like bring to your attention of our firefox extension for > stand-alone key generation and enrollment. > The extension is available from "sandbox" in > https://addons.mozilla.org/en-US/firefox/. According to sandbox policy > rule, you have to register, login, and then subscribe for sandbox in > order to download any extensions from sandbox. > > Title: KeyManager Tool: Firefox Extension for Key Generation and > Certificate Enrollment > KeyManager is a stand alone PKI tool for key generation and > certificate enrollment. The KeyManager tool is packaged as “chrome” > based Firefox extension. We have extended the Certificate Manager > wizard in Mozilla PSM and added the capability for key generation and > SCEP based certificate enrollment. Currently, PSM allows import and > export of keys but does not provide interface for local key > generation. In addition, the tool supports signing of proxy > certificates for delegation of authorities and provides XUL based GUI > for signing archive files. > The KeyManager tool has following features: > - Generation of keys, signing self-signing certificate and generation > of PKCS#10 based Certificate Signing Requests (CSR) > (Uses XPCOM based interface for NSS commandline tool for > certutil/certcgi andr XUL based GUI) > - Signing of Proxy Certificate and other users' certificates > - SCEP based Certificate enrollment > - Signing of archive files (provides XUL based GUI for signtool in > Mozilla NSS) > - Generation of configuration file for OpenSSL based applications ; > very useful if are trying to use > OpenSC based engine for smartcard with OpenSSL > For more info: http://pubs.research.avayalabs.com/pdfs/ALR-2006-044.pdf > > If you download and use the tool, please write a review. I need enough > review in order for the extension to be nominated for publicly > available extension. > > Thanks. > -- > Subrata Mazumdar > > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
