Closed
Bug 107435
Opened 23 years ago
Closed 10 years ago
DOM crypto.generateCRMFRequest argument to force enrollment to a(n unspecified) hardware
Categories
(Core Graveyard :: Security: UI, enhancement, P2)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: awnuk, Unassigned)
References
Details
(Whiteboard: [kerh-ehz])
1. To do simple hardware deployments crypto object needs to supply method to generate key with specific security module. This could be done as extension of generateCRMFRequest() method or any other way. 2. Crypto object doesn't supply any methods to list security modules. I'm on 2001-10-22-18-0.9.4
Comment 1•23 years ago
|
||
Can you elaborate? Do you want the ability to specify which hardware token the key will be generated (or stored) on?
Priority: -- → P2
Target Milestone: --- → 2.2
If you need to deploy keys and certificates on hardware only, you don't have to watch them to be sure that it is done right. It is enough to verify presence of the specific security module and then generate key or keys on it.
Updated•23 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•22 years ago
|
Comment 4•22 years ago
|
||
I'm still not sure if I understand you correctly. Let me try to repeat what you say, and please confirm or explain more detailed. You want to use generate a certificate/key using JavaScript, and that certificate should be stored on a hardware device. You say the JavaScript logic should be able to check, which hardware devices a user has? And you want that the JavaScript logic can decide on its own, where the key/certificate will be stored? In order to reach that goal, you request - a new JavaScript method to list the installed devices - an extensions to the certificate generation to request storage on a particular device Do I understand that correctly? Considered I understand you correctly, here is my opinion: JavaScript methods should not be able to query the user's hardware. A website could use that to spy out a user. My understanding is, when a website triggers the creation of certificate request, and the user has multiple tokens, the application will prompt the user, and the user will decide on which device the certificate will be stored. Isn't that sufficient?
This is actually what I would like to avoid. Imagine that you would like to force your employees to use smartcards only. Current choice is either watch them picking correct (hardware) module or do the picking for them. Both situations are requiring human assistance and they are little bit embarrassing. This could be avoided by adding to generateCRMFRequest() method, ability to generate keys on specified module. It would be even nicer to inform end user that he/she is missing required (hardware) module. We could achieve this by making generateCRMFRequest() return appropriate error or/and adding a new method which would allow to check the presence of the specific module.
Comment 6•22 years ago
|
||
Could we meet in the middle? Instead of providing a way to iterate over available modules, and instead of adding a "module name" parameter to the generate key request, we could do something else: We could extend the key generation method to take a boolean parameter, that says "only hardware allowed". If there is no hardware device, Mozilla could display an error message (hardware device requested but n/a). If there is exactly one hardware device, Mozilla could use just that one. If there are multiple hardware devices available, Mozilla could display a list of all hardware devices (not allowing to select the software device).
Comment 7•22 years ago
|
||
We should not design this without imput from Terry Hayes. The real solution may involve CMC, support on server and client, etc... If we think this is high priority, we should schedule a design/architecture meeting. I'm not sure this is such high priority at the moment. Note that the relying party (the party who really cares whether the key/certs are generated on the device) is the issuing CA. The CA can only certify that the key has been generated on a hardware device if the cert request from the client contains data that cryptographically identifies the device. The CA must have a way to request this extra info from the client.
Summary: Hole in PKI hardware deployments → Force enrollment on hardware device: Hole in PKI hardware deployments
Comment 8•22 years ago
|
||
Looks like a dupe of bug 110183
Updated•21 years ago
|
QA Contact: junruh → bmartin
Updated•19 years ago
|
Whiteboard: [kerh-ehz]
Comment 10•18 years ago
|
||
changing obsolete psm* target to --- (unspecified)
Target Milestone: psm2.4 → ---
Updated•17 years ago
|
QA Contact: bmartin → ui
Comment 11•16 years ago
|
||
this (bug which is focused on letting the web page demand a hardware device) isn't a duplicate of that bug (which is interested in letting the user pick a default target)
Severity: normal → enhancement
Summary: Force enrollment on hardware device: Hole in PKI hardware deployments → DOM crypto.generateCRMFRequest argument to force enrollment to a(n unspecified) hardware
Version: 1.0 Branch → Trunk
Comment 12•11 years ago
|
||
Are any other browsers going to implement generateCRMFRequest? I doubt so, and I guess that means that there is no hope for standardizing this. Perhaps, then, we should WONTFIX all the enhancements to this method?
Bug 1030963 removed this functionality entirely.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•