At the very least, we believe that should be marked as obsolete in the spec. Given these issues with we think that requiring support in order to be a conforming HTML 5 user agent is problematic. These deficiencies mean that browser vendors have introduced alternative mechanisms for managing certificate enrolment. This prevents from supporting non-RSA based certificates, extensions for additional client information, and key escrow. The format used by is not standard and only provides a subset of already established protocols like PKCS10 (), CMC (), and CRMF (). This forces the user to repeat the initial key creation process whenever certificates expire.Ĥ. does not provide a mechanism for managing certificate expiry. A better approach would have the key submission and certificate response integrated into the same control.ģ. This is a poor user experience and there is no way to avoid this with. Creating the key pair (with ) and then having a certificate returned from the server to be installed on the client appear to the user as two separate actions. For example, RSA 512 may not be something a bank wants to deal with. In general, the server should be able to indicate what type of key pair it wants including acceptable key length, algorithm, etc. Most users are not equipped to make this decision. typically requires the user to select the appropriate key length from a list. Most commercial and government implementations use proprietary enrolment mechanisms often based on Java applets, Mozilla’s custom generateCRMFRequest, or Microsoft’s scriptable APIs such as CertEnroll.ġ. It’s hard to find examples of being actively used today. Another is enterprise remote access (although we commonly see the enterprise scenario handled with something like a smart card requiring offline provisioning). One is some kind of web access to a financial institution like a bank or brokerage firm or to e-government sites. We see two main use cases for client-side certificate auth on the web today. ” The problem with is that it fails to address the requirements that people have for certificate enrolment today. Is IE going to support the keygen element as defined in the HTML5 spec? Here is his answer. His post is a response to the same question I am asking. The post is from last September (2009) and is by Adrian Bateman a program manager in Microsoft’s Internet Explorer group who is working on getting HTML5 into IE and doing a very good job of it so far. It took me awhile but I found a pretty good answer in the HTMLWG mailing list archives at I endeavored to find out if it was to be included in the near future. I was trying different HTML5 tags in the Internet Explorer Platform Preview 3 and when I got to the keygen element, it did not work. If crypto’s not part of your skill set, suffice it to say that it gives your browser the ability to generate a public/private key pair that allows you to use certificates with secure servers that make it very difficult for someone else’s browser to pretend they are your browser and access the stuff you are trying to keep secure. The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally submitted to the server as the value of a name-value pair, where the name is specified by the NAME attribute of the KEYGEN tag.” The public key and challenge string are DER encoded as PublicKeyAndChallenge and then digitally signed with the private key to produce a SignedPublicKeyAndChallenge. The private key is encrypted and stored in the local key database. Then, when the submit button is clicked, a key pair of the selected size is generated. It displays a menu of key-size choices from which the user must choose one. This mechanism is designed for use in web-based certificate management systems. “The KEYGEN tag facilitates the generation of key material and submission of the public key as part of an HTML form. I believe this is from the old Netscape docs at the now defunct. Here is a description of what the keygen element does. Being an official part of HTML5 means that this will be available in IE9 or will it? It works in Firefox, Opera and Safari but Not in Internet Explorer. The Keygen element has been around since the Netscape days.
0 Comments
Leave a Reply. |