W3C home > Mailing lists > Public > public-identity@w3.org > December 2011

CertEnroll JS Crypto API

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Thu, 01 Dec 2011 13:07:02 +0100
Message-ID: <4ED76DE6.7040302@telia.com>
To: "public-identity@w3.org" <public-identity@w3.org>
http://blogs.msdn.com/b/alejacma/archive/2009/01/28/how-to-create-a-certificate-request-with-certenroll-javascript.aspx

If you read the comments you can see that you need to muck around with "IE security"
settings in order to get it to work.  IMNSHO, this demonstrates the general uselessness
of the JS-based crypto API approach for performing crypto operations in general purpose
("open") crypto modules.

Feel free to try, but do not expect the browser vendors to implement something which is
broken already on the drawing board.

The only workaround I'm aware of is creating "applications" like the already available
TLS stuff which indeed doesn't expose any API to untrusted browser code.
The SK/KeyGen2 token provisioning scheme builds on the same time-proven principles.

Gemalto once tried to open smart cards to web access:
http://www.sconnect.com/FAQ/index.html
AFAICT, they don't seem to push this concept too hard these days :-)

Anders
Received on Thursday, 1 December 2011 12:07:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 1 December 2011 12:07:39 GMT