Anders, On Mar 30, 10:57 pm, Anders Rundgren <anders.rundg...@telia.com> wrote: > > Good to hear, thanx. > > Doesn't that also mean that anybody can enumerate your CSPs without your > knowledge?
no, IE still says "The site is attempting to perform a certificate operation, allow (yes/no)" when enumerating the CSPs. The only difference is, that it does so in the standard security level. > > If it does, I think this supports my belief that APIs for usage in the > untrusted > browser window is the wrong approach for "keygen". > > > I think the real problem is that almost none of the large PKIs supporting > soft certificates actually use the browsers' own enroll functions because > they do are very different and unsuitable for consumers. > > Not to mention that the smart card vendors have developed schemes that > are entirely different to soft certificates since the issuer actually > knows (with cryptographic proofs) that keys are in a card (brand or specific > unit). I fully believe you (worked for a brief time with smartcards and it was not a fun experience). > > All major CAs including EJBCA and MSFT support keygen in spite of its > unusual request format. Yes. Even openssl supports SPKAC. I still think that using a markup element for control flow is ugly design, but I should really get over it, as this is a theoretical discussion, given the lack of alternatives. So, if keygen included an option for controlling the keysize I'd already be happy and shut up. /Thomas -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
