Julien Pierre wrote:
Mr nospam,
nospam wrote:
Are mozilla and openssl commercial products? If so, I've had a
misconception. If apache uses openssl (and it does), and suddenly
openssl is gone, it harms apache...which harms mozilla.
Sorry, but I don't see how harm to Apache harms Mozilla. They don't
share code. They interoperate - but commercial products do that too.
Mozilla also interoperates with commercial server products, and Apache
also interoperates with commercial client products.
The features I mentioned above are all implemented in moz browser
products,
accessible via html, javascript, and the GUI. (At least in Mozilla 1.x,
and probably in FireFox too.) They are also available in command line
utilities. Start looking here:
http://www.google.com/search?num=100&q=keygen-tag
Sorry, I did not know what to search for, as mozilla itself does not
present any clues that this was even a possibility. I have no magic to
pop "generateCRMFRequest" into my brain to search for. That's why I
ask. If I must learn javascript or build programs that for example use
"crypto.generateCRMFRequest()", then it is probably better to use
openssl. I'm certainly not going to refer someone I'm trying to help
to a programmer's man page, that'd be a total failure. I'm looking for
tools to do the job, not API's to write something with.
You seem to misunderstand the audience. It's the job of the CA to take
advantage of the APIs and leverage the features of the browser to
trigger the keygen. This can be done transparently in pages served by
the CA's web server that include Javascript code. This is far simpler
than asking anyone to run any tool !
The web site will limit access via keys that have been signed by the web
site admin, on a LAN, using a self-signed CA for the web site. This
means that each user will need to have a key that is sent in and signed
by the site prior to accessing the site. How can this be done in
javascript? There will be no outside authority like Verisign. I fail to
see how a key can be pre-approved via some automated javascript. There
should in fact be no javascript required, as it is using Apache's
mod_ssl to check a list of allowed users.
I believe that most browsers are able. IINM, Safari offers the same
<keygen> tag as do Mozilla and Netscape. The methods by which a web
page
requests the generation of cert signing requests varies from one to
another,
but the ability is there in most, if not all.
At this point it looks like it is easier to use openssl. I need one
simple way to do this that I can send to other people who know nothing
about programming or public/private key structure. I can't ask anyone
to create scripts or edit javascript.
openssl certainly doesn't come standard on most operating systems, so
relying on it is a big barrier to entry. It's additional work for
someone to locate, download, install and manually run it . I think
you'll agree that taking advantage of a tag in a browser that the user
is already running is far easier.
The thing is that I can create a cert even if they don't. That means I'd
have a private key that they use, but the key would only be for access
to one internal/private LAN site. The key is to determine what
directories are to be accessible. Everyone involved has a Linux install.
So even if I don't provide the actual keys, I can easily provide a
script to do so if I can figure it out myself (yes, it is more
desireable if I don't have to see their private key, but it also doesn't
matter much since this is the only site it is for).
Now if I am able to provide instructions that are simpler than using
OpenSSL, that's an improvement...showing them an API page is not going
show them how to create key pairs for me to sign. I have yet to see how
mozilla can create a key pair directly from the browser, which is
necessary without external programs if it is to replace OpenSSL for
these limited purposes.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
