- From: Dundas, Alan <adundas@verisign.com>
- Date: Tue, 22 Sep 2009 13:29:52 -0700
- To: <public-html@w3.org>
- Message-ID: <CF8157419DE0004A8BB5D1D2F8CCAE9907E4570F@MOU1WNEXMB08.vcorp.ad.vrsn.com>
Sorry to come late to this conversation. I've just read this entire thread and as VeriSign's Client PKI Architect I thought I would give you some additional perspective on this discussion. VeriSign's out of the box client enrollment uses x/cenroll for MS or keygen for any other platform (including Firefox, Safari and Opera). I agree with the general limitation discussion about Keygen, it is a poor interface and needs to be revamped, but Ian's comments that there is no consistent alternative is an important one. Most of VeriSign's client certificate customers are enterprise customers and many have forced their employees to limit enrollment within IE browsers because Keygen does not offer certain functions (algorithm, hardcoded keysize, non-exportable private key, require password protection with password policy, keygen on hardware required). It is the lack of a more complete and interoperable set of requirements for keygen that have stopped enterprises from being able to adopt PKI solutions. There are situations where Mac, and the many versions of Unix based OS's must go through an expensive kiosk IE issuance process before hardware tokens can be used on these other platforms. There would be more adoption of this technology across heterogeneous environments if Keygen was enhanced to offer a similar feature set as Microsoft provides today. VeriSign is pleased to see that non-exportability is making its way to Mac OS10.6 and having this functionality exposed to a Keygen in the browser would be great progress. Lastly, there is one area where the current poor implementation of Keygen shines far above the Microsoft solution. That is with partners and customers where the issuing party can not guarantee the end user has Admin rights. Here it can be very difficult to use the MS process of generating or installing keys. Active X controls can be disabled and IE browser settings can make key generation impossible on tightly controlled systems. In this situation the current Keygen in non-IE browsers is often the only error free method to generate and use Client certificates. Personally I'd like to see Keygen improved, not removed, as a consistent way of using this technology that is browser agnostic would benefit everyone, with the possible exception of Microsoft. I'm concerned that failure to support a consistent approach in non-IE browsers will in fact solidify that Microsoft is the only browser that can be used if you have the requirements in your enterprise to use client based PKI. =Alan Dundas Principal VeriSign Client PKI
Received on Wednesday, 23 September 2009 07:52:22 UTC