On Wed, 2006-03-29 at 22:22 +0200, Anders Rundgren wrote: > I tried it but got an internal error. Maybe the certificate issued by "SuckerTrust" > for a user with the e-mail address boss@fire.hell was the culprit. :-) Firefox, at least, is very finicky about what certificates it will permit itself to use for the crypto.signText operation. Things that have tripped me up so far include ensuring that: the CA cert is trusted for the right things by the browser, the purpose bits are right on the certificate, there's a master security password set in the browser (!), and that the CA certificate has correctly formatted X509 fields. Regrettably, the only way that you know if there's a problem is when crypto.signText failes with 'error:internalError'. c'est la Mozilla. I've attached a client certificate (password frog) and the corresponding CA certificate - these work for me. YMMV. Be sure to trust the CA cert or the purpose of the client certificate will show up as 'Unknown' and it won't work. > Apart from that, I have no objections to the conversion scheme, > akthough I would like to see some more documentation if possible. I'll keep the list apprised of progress; the next steps will be sorting out key generation using the browser's CRMF request method, formalizing the XML schema, and putting an AJAX frontend using this technique (and including key generation) on the front of the existing web applications. > The latter will > be launched next week at the NIST PKI Workshop. That's a somewhat annoying mis-schedule on my part - had I started working on this a few months earlier, and realized the workshop was on, I'd probably have attended. Ah well. I presume there'll be proceedings published at some point. m. -----BEGIN CERTIFICATE----- MIID6jCCA1OgAwIBAgIJAKWlHb3BAYdgMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD VQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZTeWRuZXkxEDAOBgNVBAoT B01pa29sYWoxEDAOBgNVBAsTB01pa29sYWoxDTALBgNVBAMTBGZpc2gxIDAeBgkq hkiG9w0BCQEWEWRpY2hyby1jYUByY3B0LnRvMB4XDTA2MDMxOTIyNTAzMFoXDTE2 MDMxNjIyNTAzMFowgYExCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNV BAcTBlN5ZG5leTEQMA4GA1UEChMHTWlrb2xhajEQMA4GA1UECxMHTWlrb2xhajEN MAsGA1UEAxMEZmlzaDEgMB4GCSqGSIb3DQEJARYRZGljaHJvLWNhQHJjcHQudG8w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKt0iAf4RkJCvrgccxkYnh9lqUfw l9aXxNHjE2tQclaay17qI83Ppv1Ee28dFt//VRfJSNDYX8IuJM9GBaVQ8qkCF8OU C8DMqxu35naliHxJfAACHCbM2/YEff/Ozkh3b+DZjFDjnFIbeRo6MFrbZ41q7/LS jxlzhVO5MVR1xEVDAgMBAAGjggFmMIIBYjAdBgNVHQ4EFgQUDc4yUSZlsQfs3gFS fiZ8O4lTxPEwgbYGA1UdIwSBrjCBq4AUDc4yUSZlsQfs3gFSfiZ8O4lTxPGhgYek gYQwgYExCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNOU1cxDzANBgNVBAcTBlN5ZG5l eTEQMA4GA1UEChMHTWlrb2xhajEQMA4GA1UECxMHTWlrb2xhajENMAsGA1UEAxME ZmlzaDEgMB4GCSqGSIb3DQEJARYRZGljaHJvLWNhQHJjcHQudG+CCQClpR29wQGH YDAPBgNVHRMBAf8EBTADAQH/MBEGCWCGSAGG+EIBAQQEAwIBBjAJBgNVHRIEAjAA MCsGCWCGSAGG+EIBDQQeFhxUaW55Q0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMBwG A1UdEQQVMBOBEWRpY2hyby1jYUByY3B0LnRvMA4GA1UdDwEB/wQEAwIBBjANBgkq hkiG9w0BAQUFAAOBgQAtdx7hbBJYWW7DC0RPEVpWChpJ5reXiVcits5yIyRmyZDn qqyrpvrsIRWsh11o3WyeKcee9TiETIOcOMK5WMgRuclgrsFSVUTZZfmoqAOKXgtm v9ro71ao6sld6yxIIo9owdygdzFO999UiErVXwecb8ZdryElMpooGBsl2pE/ig== -----END CERTIFICATE-----
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 30 March 2006 00:02:10 GMT