It might be interesting to note how this works in MSIE since few
CAs can completely ignore MSIE even if they wanted to:
"<keygen>" a la Microsoft:
It starts by the poor user trying to get the enroll ActiveX object
to run *by reducing security until it starts*.
Most people fail already at this stage.
Then we have the little "snag" that card initialization is not a part
of the enrollment making the whole idea of on-line rather half-baked
to say the least.
If you to that add that Microsoft et al do not use the secure
provisioning and management methods provided by the card vendors,
the only reasonable conclusion is that the whole thing is just a *toy*.
Microsoft's enrollment concept; exposing hordes of cryptographic methods
in a non-trusted browser window is also *severely broken* and a genuine
dead-end for future developments.
Enjoy!
Anders
Jean-Marc Desperrier wrote:
The most adequate group for this discussion would be
mozilla.dev.tech.crypto
I agree than enhancing generateCRMFRequest to let it generate a more
usual format instead of only CRMF would be a big step forward.
And making more obvious that keygen is not a good long term solution is
a very good thing.
Thomas Zangerl wrote:
Arm,
I am not sure whether I would recommend this, but in Firefox and
Safari keygen currently just generates a<select><option...></select>
structure in DOM. So what we in the Confusa project (http://
www.confusa.org) are currently playing with to increase the user
friendliness, is just assigning the keylength to the option texts and
then setting the right option to selected. In JavaScript that is
something along the lines of
var keysize = /* usually something from PHP */ "2048";
var keygenCell = document.getElementById("keygenCell");
var options = keygenCell.getElementsByTagName("option");
/* Gecko based browsers use some strange "Grade" syntax for
keylengths - replace*/
if (navigator.userAgent.indexOf('Gecko') != -1) {
var GECKO_STRING_HIGH = "High Grade";
var GECKO_STRING_MEDIUM = "Medium Grade";
for (var i = 0; i< options.length; i++) {
var option = options[i];
if (option.text == GECKO_STRING_HIGH) {
option.text = "2048 bits";
option.value=GECKO_STRING_HIGH;
} else if (option.text == GECKO_STRING_MEDIUM) {
option.text = "1024 bits";
option.value=GECKO_STRING_MEDIUM;
}
}
}
/* autoselect the option with the right keysize */
for (var i = 0; i< options.length; i++) {
var option = options[i];
if (option.text.indexOf(keysize) != -1) {
option.selected = true;
}
}
The above seems to work in Firefox 3.0 and 3.5 and Safari 4
(selection) but not in Opera 10.50.
An alternative you might consider is using Mozilla's Crypto-Interface,
which gives you full control over the keysize etc.:
https://developer.mozilla.org/en/JavaScript_crypto
Regarding, Mozilla's Crypto-interface, we found it pretty inconvenient
to deal with yet another certificate format, though, because
generateCRMFRequest generates the cert-request as a CRMF file and
Firefox expects to receive the response in CMMF. If there is no easy
way to do this with your CA, you might however have to fall back to a
hack just as we do.
/Thomas
On Mar 29, 10:48 am, Arm Abramyan<aabra...@gmail.com> wrote:
Dear firefox support team
Armenian e-Science Foundation Certification Authority (ArmeSFo
CA,http://www.escience.am/ca/index.html), which is a member of
European Policy
Management Authority for Grid Authentication
(EUGridPMA,https://www.eugridpma.org) created Graphical User
Interface for the
generating a private key and Certificate Signing Request (CSR).
According
our Certification Policy, the minimum key length for a user or
host/service
certificate is 1024 bits.
The firefox gives to users a choice of RSA key between "high"
strength (2048
bits) and "medium" strength (1024 bits). It provides with HTML
keygenelement.
Would you help us to change text of HTML form: "High Grade" and "Medium
Grade" and to set the default value of them.
Thank you in advance
Armenuhi Abramyan
ArmeSFo CA operator
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
