On Fri, Jun 27, 2014 at 6:32 PM, Brian Smith <br...@briansmith.org> wrote:
Hi > The issue is that the WebCrypto API uses a totally separate keystore from > the X.509 client certificate keystore (if it doesn't, it should be), and > the stuff that Red Hat does is about client certificates. AFAICT, WebCrypto > doesn't get have any mechanism for accessing the client certificate store > and it isn't clear if/when that would be added. > Indeed. And thats one of the complaints I have made. We are using smartcards and a system/browser-keystore integration will be great. Seems ther arent worried about that and not going to implement it anytime soon. Even more: FIDO is neither based in PKI. To sum up: we dont -yet- have a cross-browser alternative (*except* Java) to make digital signature. > However, an addon would be able to do these things, because the addon could > literally just use the crypto code that you are proposing to remove, > without the DOM parts. However, now that Firefox is minimizing the amount > of NSS that is exposed from libnss3 and friends on non-Limux platforms, it > is probably the case that the addon will need to use platform-specific APIs > to access the operating system keystore, at least on non-Linux platforms. > However, I think that is a good idea anyway, because Firefox (and > Thunderbird) should be using the native OS for client certificates and > S/MIME certificates anyway. > In our case we are using Java Applets and this is giving us some headaches (and now worse with Chrome NPAPI deprecation). As far as whether it is OK to remove functionality that some websites are > depending on: In this case, I think you can remove functionality that > Chrome currently doesn't support (using the same APIs or different APIs) > without hesitation. For example, I don't think Chrome can do the key escrow > thing so I don't see why Firefox needs to support it either. The advantages > of deleting the code outweigh the value that Firefox gains from supporting > those things. > > We had a conversation about this a year ago on this mailing list and AFAICT > nobody has made any effort at W3C to standardize anything related to the > functionality for which you are proposing removal. I think that is a good > indication of how unimportant it is. So, +1 from me. > We need to use <keygen>. We are currently using smartcard detection to make more user-friendly the key generation on our cards. We are also using addModule/deleteModule for pkcs#11 registration. I know many people still sunning signText. I understand you want to remove legacy code, but I'll love this cleaning to be made AFTER theres an alternative running/production stage. Said so, i *partially *agree removing this features...unless they break <keygen>. Thats is something i still need. Thanks -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
