Michael Ströder wrote:
> I'd love to have an option to forbid CRMFRequest calls...
Not too difficult to achieve, actually. Just add this line to your
prefs.js:
user_pref("capability.policy.default.Crypto.generateCRMFRequest", "noAccess");
> I personally don't know whether the current Mozilla implementation of
> crypto.generateCRMFRequest includes the private key of an encryption
> cert.
Only if you tell it do so, and only if it's a key-exchange-only key. [1]
Additionally, an "Encryption Key Copy" warning dialog will be presented
when key escrow is attempted - try the attached demo. [2]
> But there is some Javascript and the HTML looks like
> this:
>
> <select name="spkac" challenge="tURRaHXxYBDwCk58"><option>2048 (High
> Grade)</option><option>1024 (Medium Grade)</option></select>
What browser were you using in this case, and for what certificate
were you applying? I still see <keygen> elements when enrolling
for a new Thawte Freemail certificate with Firefox or Seamonkey
(note that when saving an HTML page with the "Web Page, complete"
option, the keygen tag is converted into a <select> element,
so maybe that explains the effect you're seeing).
Kaspar
[1] https://developer.mozilla.org/en/GenerateCRMFRequest
[2] Caveat: may leave you (or your cert DB, more precisely) with
a lot of orphan keys, if used generously - i.e. it's probably better
to use it with a separate profile.
