Open
Bug 1088063
Opened 10 years ago
Updated 2 years ago
Create a WebCrypto based API for managing TLS client certificates
Categories
(Core :: DOM: Web Crypto, defect, P3)
Core
DOM: Web Crypto
Tracking
()
NEW
People
(Reporter: rbarnes, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog2])
Web sites used to be able to create and import client certificates using <keygen>, generateCRMFRequest(), and importUserCertificate(). But we removed those functions. https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto So there is no way to manage client certificates "in band" today. You have to go to the certificate manager in the preferences and manually install a cert. WebCrypto gives us a sensible way to replace the above functions, in that <keygen> can be replaced with crypto.subtle.generateKey(), and the cert generation things can be replaced with JS/XHR. The only missing piece is the import. We should expose a simple API that allows JS to set and inspect the private key and certificate that should be used for TLS to a given HTTPS origin (the origin of the JS). It seems to me that this could be functionally quite similar to document.cookie -- something like document.tlsClient.certificate and document.tlsClient.privateKey
|
||
Updated•8 years ago
|
Component: DOM: Security → Security
|
||
Updated•8 years ago
|
Component: Security → DOM: Security
|
|
||
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Blocks: 1315460
|
||
Comment 1•8 years ago
|
||
An additional function to close a [client certificate authenticated] tls session (Logout) would be helpful here, so that users don't have to restart Firefox every time.
|
|
||
Comment 2•7 years ago
|
||
As Chrome 57 will deprecate <keygen> ( https://www.chromestatus.com/features/5716060992962560 ) this should get a focus for business needs and WebID. Please consider to adjust the prioritization.
Flags: needinfo?(rlb)
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(rlb)
|
||
Updated•6 years ago
|
|
||
Comment 3•6 years ago
|
||
We also use productive the keygen and import possibility on firefox... How is the alternative way to do this now, if you realy want to sadly remove this feature?
| Comment hidden (advocacy) |
|
|
||
Comment 6•6 years ago
|
||
As you can read on https://github.com/w3c/webauthn/issues/1027 the webautn is NOT a replacement for client certification or the authentication of users. You always need to buy hardware to be able to use webauthn, a hardware free implementation is missing. Please do not stop supporting keygen until webauthn has the possibility to use public keys without any hardware given!
|
||
Updated•5 years ago
|
Component: DOM: Security → DOM: Web Crypto
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•