Closed
Bug 1088063
Opened 11 years ago
Closed 7 months ago
Create a WebCrypto based API for managing TLS client certificates
Categories
(Core :: DOM: Web Crypto, task, P5)
Core
DOM: Web Crypto
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: rbarnes, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog2])
Web sites used to be able to create and import client certificates using <keygen>, generateCRMFRequest(), and importUserCertificate(). But we removed those functions.
https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto
So there is no way to manage client certificates "in band" today. You have to go to the certificate manager in the preferences and manually install a cert.
WebCrypto gives us a sensible way to replace the above functions, in that <keygen> can be replaced with crypto.subtle.generateKey(), and the cert generation things can be replaced with JS/XHR. The only missing piece is the import.
We should expose a simple API that allows JS to set and inspect the private key and certificate that should be used for TLS to a given HTTPS origin (the origin of the JS). It seems to me that this could be functionally quite similar to document.cookie -- something like document.tlsClient.certificate and document.tlsClient.privateKey
|
||
Updated•10 years ago
|
Component: DOM: Security → Security
|
||
Updated•9 years ago
|
Component: Security → DOM: Security
|
|
||
Updated•9 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
|
||
Comment 1•9 years ago
|
||
An additional function to close a [client certificate authenticated] tls session (Logout) would be helpful here, so that users don't have to restart Firefox every time.
|
|
||
Comment 2•9 years ago
|
||
As Chrome 57 will deprecate <keygen> ( https://www.chromestatus.com/features/5716060992962560 ) this should get a focus for business needs and WebID. Please consider to adjust the prioritization.
Flags: needinfo?(rlb)
|
Reporter | |
Updated•9 years ago
|
Flags: needinfo?(rlb)
|
||
Updated•8 years ago
|
|
||
Comment 3•8 years ago
|
||
We also use productive the keygen and import possibility on firefox... How is the alternative way to do this now, if you realy want to sadly remove this feature?
| Comment hidden (advocacy) |
|
|
||
Comment 6•7 years ago
|
||
As you can read on
https://github.com/w3c/webauthn/issues/1027
the webautn is NOT a replacement for client certification or the authentication of users.
You always need to buy hardware to be able to use webauthn, a hardware free implementation is missing.
Please do not stop supporting keygen until webauthn has the possibility to use public keys without any hardware given!
|
||
Updated•7 years ago
|
Component: DOM: Security → DOM: Web Crypto
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Updated•1 year ago
|
Severity: S3 → S4
Type: defect → task
Priority: P3 → P5
|
|
||
Comment 7•7 months ago
|
||
I don't think that WebCrypto team is interested in doing this, so I close the patch until any update
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•