[cabfpub] Browsers & Enrollment (was Re: Edge Browser Can't View Certificate)
sleevi at google.com
Thu Aug 27 15:52:34 MST 2015
On Thu, Aug 27, 2015 at 1:24 PM, Rob Stradling <rob.stradling at comodo.com>
> Hi Jody. Another "gap" I've noticed with Edge is that, with ActiveX no
> longer supported, certificate enrolment using CertEnroll no longer works.
> This means that Edge can't be used to obtain Code Signing Certificates
> or S/MIME Certificates from many (if not most or even all) CAs.
> Do you have any plans to plug this gap?
> (Or is the long-term plan simply that CAs should recommend the use of a
> different browser?)
> Or, can you point me in the direction of some alternative certificate
> enrolment technology that Edge does already support?
I think it's reasonable to suggest that browsers are getting _out_ of the
In Blink, I'm in the process of deprecating the <keygen> implementation:
This follows our existing deprecation of NPAPI (aka plugins) -
Similarly, Mozilla is examining removal of <keygen> support -
- after having removed .signText and .generateCRMFRequest -
As you may or may not be aware, IE and Edge have never supported the
<keygen> tag, instead with IE supporting ActiveX plugins (CertEnroll /
XEnroll), and Edge supporting neither.
If you were to read the tealeaves for the past two years, you would see
that the idea of using Browsers as a delivery mechanism for making
system-wide changes is on the way out - and this includes key enrollment
Long-term, CAs should look outside browsers, period, for the means to
handle certificate enrollment.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public