Nelson B Bolyard wrote:
<snip>
<keygen> since a CA has no options for key protection during issuance
using Firefox which it has using MSIE.
Yes, I quite agree with you on this point, Anders. The problem is that the
CA cannot express to Firefox that it wants Firefox to require that the
generated key be unextractable.
Exactly.
It might be of interest knowing that hardly any bank in the EU (many use
soft certificates) have bothered with MSIE or Firefox keystores at all,
since banks require PIN-codes which is a feature they are accustomed
with. Due to this they have their own client software for both auth and
keygen.
Yes, you've told us that frequently. Have you now written an add-on for
Firefox and an .ocx or BHO for MSIE that implements the same new cert
enrollment html or JavaScript feature in those two browsers? If so,
please provide a URL for the web site describing them. Then we'll see if
there's any follow-up interest here.
I think this is why not even mighty Microsoft have been able to come up
with something useful: You need an *inter-disciplinary* solution that is
architected. Xenroll is just an ugly hack to bypass the awkward internal
architecturing process.
BTW, regarding technical solutions, I have in an earlier posting (keygen NG)
described what *I* consider the "right" approach. So far I have been unable
to get any feedback on that which I guess either must depend on a bad
description or as I suspect, limited interest in fixing on-line provisioning
since the demand almost 100% comes from non-paying entities like governments
and banks in foreign places.
I have of course not given up this by no means but I'm looking for funding
because it is a $500K+ project even when running as Open Source.
Anders
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
