Open
Bug 1088063
Opened 10 years ago
Updated 4 months ago
Create a WebCrypto based API for managing TLS client certificates
Categories
(Core :: DOM: Web Crypto, task, P5)
Core
DOM: Web Crypto
Tracking
()
NEW
People
(Reporter: rbarnes, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog2])
Web sites used to be able to create and import client certificates using <keygen>, generateCRMFRequest(), and importUserCertificate(). But we removed those functions.
https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto
So there is no way to manage client certificates "in band" today. You have to go to the certificate manager in the preferences and manually install a cert.
WebCrypto gives us a sensible way to replace the above functions, in that <keygen> can be replaced with crypto.subtle.generateKey(), and the cert generation things can be replaced with JS/XHR. The only missing piece is the import.
We should expose a simple API that allows JS to set and inspect the private key and certificate that should be used for TLS to a given HTTPS origin (the origin of the JS). It seems to me that this could be functionally quite similar to document.cookie -- something like document.tlsClient.certificate and document.tlsClient.privateKey
Updated•9 years ago
|
Component: DOM: Security → Security
Updated•8 years ago
|
Component: Security → DOM: Security
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Comment 1•8 years ago
|
||
An additional function to close a [client certificate authenticated] tls session (Logout) would be helpful here, so that users don't have to restart Firefox every time.
Comment 2•8 years ago
|
||
As Chrome 57 will deprecate <keygen> ( https://www.chromestatus.com/features/5716060992962560 ) this should get a focus for business needs and WebID. Please consider to adjust the prioritization.
Flags: needinfo?(rlb)
Reporter | ||
Updated•8 years ago
|
Flags: needinfo?(rlb)
Updated•7 years ago
|
Comment 3•7 years ago
|
||
We also use productive the keygen and import possibility on firefox... How is the alternative way to do this now, if you realy want to sadly remove this feature?
Comment hidden (advocacy) |
Comment 6•6 years ago
|
||
As you can read on
https://github.com/w3c/webauthn/issues/1027
the webautn is NOT a replacement for client certification or the authentication of users.
You always need to buy hardware to be able to use webauthn, a hardware free implementation is missing.
Please do not stop supporting keygen until webauthn has the possibility to use public keys without any hardware given!
Updated•6 years ago
|
Component: DOM: Security → DOM: Web Crypto
Updated•2 years ago
|
Severity: normal → S3
Updated•4 months ago
|
Severity: S3 → S4
Type: defect → task
Priority: P3 → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•