W3C home > Mailing lists > Public > public-html@w3.org > September 2009

RE: <keygen> element

From: Dundas, Alan <adundas@verisign.com>
Date: Tue, 22 Sep 2009 13:29:52 -0700
Message-ID: <CF8157419DE0004A8BB5D1D2F8CCAE9907E4570F@MOU1WNEXMB08.vcorp.ad.vrsn.com>
To: <public-html@w3.org>
Sorry to come late to this conversation.  I've just read this entire
thread and as VeriSign's Client PKI Architect I thought I would give you
some additional perspective on this discussion.   VeriSign's out of the
box client enrollment uses x/cenroll for MS or keygen for any other
platform (including Firefox, Safari and Opera).
 
I agree with the general limitation discussion about Keygen, it is a
poor interface and needs to be revamped, but Ian's comments that there
is no consistent alternative is an important one.
 
Most of VeriSign's client certificate customers are enterprise customers
and many have forced their employees to limit enrollment within IE
browsers because Keygen does not offer certain functions (algorithm,
hardcoded keysize, non-exportable private key, require password
protection with password policy, keygen on hardware required).    It is
the lack of a more complete and interoperable set of requirements for
keygen that have stopped enterprises from being able to adopt PKI
solutions.  There are situations where Mac, and the many versions of
Unix based OS's must go through an expensive kiosk IE issuance process
before hardware tokens can be used on these other platforms.  There
would be more adoption of this technology across heterogeneous
environments if Keygen was enhanced to offer a similar feature set as
Microsoft provides today.
 
VeriSign is pleased to see that non-exportability is making its way to
Mac OS10.6 and having this functionality exposed to a Keygen in the
browser would be great progress.
 
Lastly, there is one area where the current poor implementation of
Keygen shines far above the Microsoft solution.  That is with partners
and customers where the issuing party can not guarantee the end user has
Admin rights.  Here it can be very difficult to use the MS process of
generating or installing keys.  Active X controls can be disabled and IE
browser settings can make key generation impossible on tightly
controlled systems.   In this situation the current Keygen in non-IE
browsers is often the only error free method to generate and use Client
certificates. 
 
Personally I'd like to see Keygen improved, not removed, as a consistent
way of using this technology that is browser agnostic would benefit
everyone, with the possible exception of Microsoft.   I'm concerned that
failure to support a consistent approach in non-IE browsers will in fact
solidify that Microsoft is the only browser that can be used if you have
the requirements in your enterprise to use client based PKI.
 
=Alan Dundas
 Principal
 VeriSign Client PKI
 
Received on Wednesday, 23 September 2009 07:52:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:08 UTC