Anders, I agree with you totally. That is why I have another extension (https://addons.mozilla.org/en-US/firefox/addon/4522) for XML digital signature processing to support the all those on-line stuff. You would still need the PKI based key generation stuff to support XML based signature and encryption. I just wish that Mozilla DOM supported the W3c standard for XML canonicalization - then I do not have to go outside Mozilla code base. What I do not like is that CA based key generation (as I explained in my companion document) - I would only do that If I am required to submit a CA-signed certificate by some service provider. I want to be in full control on my keys at my side of the browser. I do not want a CA to invalidate my key when I do not renew my subscriptin.
One my other goal is to support Key Continuity Management (KCM) as specified by OLPC (One laptop per child) security spec. Hopefully I would get time outside my day job to do it. -- Subrata Anders Rundgren wrote: > Hi Subrata, > > Although I find your extension interesting, I think that the on-line stuff > is nowhere ready. KeyGen, generateCRMFrequest, and Xenroll have > severe limitations which have made most large PKIs in the EU use > home-brewed PKI provisioning solutions. I am trying to create a > standard for this. It will be built on XML rather than ASN.1. > > Here comes something related: > > ----- Original Message ----- > From: "Anders Rundgren" <[EMAIL PROTECTED]> > To: <ietf-pkix@imc.org> > Sent: Saturday, March 31, 2007 08:32 > Subject: netscape-cert-renewal-url & beyond > > > Although the "netscape-cert-renewal-url" certificate extension does > not appear to be incorporated in any PKIX RFC, it is anyway > documented in vendor specs like: > http://msdn2.microsoft.com/en-us/library/aa378149.aspx > > I have two open questions regarding this particular extension: > > 1. Is it supported by any PKI-clients and if so which ones? > > 2. If it is not already supported on major scale wouldn't it be > worthwhile supporting such a facility? My personal experience > with certificates (I have had numerous), is that they tend to silently > expire, leaving you high and dry and concluding that "passwords are > better". When you have to "renew" from scratch you are thrown > into laborious processes which can take weeks to perform. > > If you have certificate and key in a connected device > like a web-server or mobile phone, you could very well > create something like we already have with Windows update, > JRE update, Adobe update, where the user in some instances > only would have to issue a PIN in order to get a credential > update. For commercial certificates the process would be > slightly more complex but of course an auto-renewal-process > must support this use-case as well. > > I do not propose making the Netscape extension a PKIX > standard but rather start discussing the road to a better > support of credential life-cycles. > > Comments? > > Anders Rundgren > > > ----- Original Message ----- > From: "Subrata Mazumdar" <[EMAIL PROTECTED]> > Newsgroups: mozilla.dev.tech.crypto > To: <dev-tech-crypto@lists.mozilla.org> > Sent: Friday, March 30, 2007 14:16 > Subject: Re: Announcement: Firefox Extension for Key Generation and > CertificateEnrollment > > > Here is a follow-up to the original message: > - I forgot tomention, the "KeyManager" extension only works on Windows > and Linux. > If there is interest, I may be able to create a version for SUN-Solaris. > - addson.mozilla.org changed their policy - the extension is now > publicly available. You do not have to regsiter to download the extension. > Here is direct the URL for the extension page: > https://addons.mozilla.org/en-US/firefox/addon/4471 > Still, please write review if you use the extension and give > comments using the discussion link on the extension page. > - if you are not really keen on learning Mozilla-NSS command line > utilities, such as certutil, pk12util, signtool etc., if you can use > this extension to do the same tasks. It presents XUL based forms for > various parameters. > - > > Thanks, > -- > Subrata > > > > Subrata Mazumdar wrote: > >> Hi, >> I would like bring to your attention of our firefox extension for >> stand-alone key generation and enrollment. >> The extension is available from "sandbox" in >> https://addons.mozilla.org/en-US/firefox/. According to sandbox policy >> rule, you have to register, login, and then subscribe for sandbox in >> order to download any extensions from sandbox. >> >> Title: KeyManager Tool: Firefox Extension for Key Generation and >> Certificate Enrollment >> KeyManager is a stand alone PKI tool for key generation and >> certificate enrollment. The KeyManager tool is packaged as “chrome” >> based Firefox extension. We have extended the Certificate Manager >> wizard in Mozilla PSM and added the capability for key generation and >> SCEP based certificate enrollment. Currently, PSM allows import and >> export of keys but does not provide interface for local key >> generation. In addition, the tool supports signing of proxy >> certificates for delegation of authorities and provides XUL based GUI >> for signing archive files. >> The KeyManager tool has following features: >> - Generation of keys, signing self-signing certificate and generation >> of PKCS#10 based Certificate Signing Requests (CSR) >> (Uses XPCOM based interface for NSS commandline tool for >> certutil/certcgi andr XUL based GUI) >> - Signing of Proxy Certificate and other users' certificates >> - SCEP based Certificate enrollment >> - Signing of archive files (provides XUL based GUI for signtool in >> Mozilla NSS) >> - Generation of configuration file for OpenSSL based applications ; >> very useful if are trying to use >> OpenSC based engine for smartcard with OpenSSL >> For more info: http://pubs.research.avayalabs.com/pdfs/ALR-2006-044.pdf >> >> If you download and use the tool, please write a review. I need enough >> review in order for the extension to be nominated for publicly >> available extension. >> >> Thanks. >> -- >> Subrata Mazumdar >> >> >> > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
