Nelson B Bolyard wrote: > The form value is a SignedPublicKeyAndChallenge (a.k.a., SPKAC). It > includes the public key, along with other info, such as a signature > which proves possession of the private key.
I always wondered why simply PKCS#10 wasn't chosen at that time. Well, that's history... > c) The SPKAC format requires that the key be usable for signing, not > useful for generating encryption-only keys. This is a general problem with the proof of possession of the private key in any CSR format. I vaguely remember a discussion on PKIX mailing list regarding this related to CRMF and/or CMC. > d) The tag has no provision for key escrow. IMO this is a feature. ;-) > crypto.generateCRMFRequest addresses those shortcomings (IINM), and uses > the standard CRMF syntax for the output, rather than SPKAC. Unfortunately CRMF is not really standardized. IMHO it's more a message format framework for which you have to define a certain CRMF profile. Furthermore many products tend to support CMC. > I do not suggest that the keygen tag be standardized exactly as it now > exists in Mozilla browsers, but I do think the industry would benefit > from a standardized method for keygen. Yupp. And personally I'd prefer a rather simple solution. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
