Thomas Zangerl wrote:
On Mar 30, 12:53 pm, Anders Rundgren <anders.rundg...@telia.com>
wrote:
It might be interesting to note how this works in MSIE since few
CAs can completely ignore MSIE even if they wanted to:
"<keygen>" a la Microsoft:
It starts by the poor user trying to get the enroll ActiveX object
to run *by reducing security until it starts*.
Most people fail already at this stage.
We actually got it to work without the user having to lower the
security. The trick is to push the factory classes with their object
IDs onto the page as objects. So if you declare an object like this:
<object classid="clsid:884e2049-217d-11da-b2a4-000e7bbb2b09"
id="classFactory" height="0" width="0" ></object> on your enrollment
page, you automagically have a classFactory in JavaScript without any
security level changes.
Good to hear, thanx.
Doesn't that also mean that anybody can enumerate your CSPs without your
knowledge?
If it does, I think this supports my belief that APIs for usage in the untrusted
browser window is the wrong approach for "keygen".
I'm not claiming that Microsoft's API is nice, atrocities include such
things as
var hashObjID = classFactory.CreateObject("X509Enrollment.CObjectId");
hashObjID.InitializeFromName("89");
objRequest.HashAlgorithm = hashObjID;
to force it into using SHA-1 as the hash algorithm, but at least it
gives you control over almost anything once you have figured out how
to do it (can be painful) and it create standard PKCS#7 CSRs. Keygen
does neither and generateCRMFRequest just has to use that widely
unsupported format :(
I think the real problem is that almost none of the large PKIs supporting
soft certificates actually use the browsers' own enroll functions because
they do are very different and unsuitable for consumers.
Not to mention that the smart card vendors have developed schemes that
are entirely different to soft certificates since the issuer actually
knows (with cryptographic proofs) that keys are in a card (brand or specific
unit).
All major CAs including EJBCA and MSFT support keygen in spite of its
unusual request format.
Anders
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
