First Last Prev Next    No search results available
Bug 6637 - Allow in-browser issuance
: Allow in-browser issuance
Status: NEW
: GridShib
GridShib-CA
: 0.5.1
: All All
: P3 enhancement
: ---
Assigned To:
:
:
: 7064
:
  Show dependency treegraph
 
Reported: 2009-02-03 21:31 by
Modified: 2010-07-08 10:30 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2009-02-03 21:31:37 
Instead of having a JWS client launch and request a certificate, use the build
in browser functionality to generate the request and return the certificate to
the browser. This would mimic the issuance process of some existing CAs
allowing the GS-CA to drop into their existing issuance flows more easily.

The main challenge here is determining the (I believe) javascript for the
various browsers to initiate the key and certificate request generation
process.
------- Comment #1 From 2009-12-06 19:07:35 ------- 
Implementation notes:

Firefox command: https://developer.mozilla.org/en/GenerateCRMFRequest

Keygen tag: https://developer.mozilla.org/en/HTML/HTML_Extensions/KEYGEN_Tag
(Doesn't work with IE?)

Here is code from myopenid.com that uses keygen:
https://www.myopenid.com/settings_authentication

<form method="post"
action="https://www.myopenid.com/certificate_request_submit" onsubmit="return
setForm('pkcs10')">
<input type="hidden" name="tid" value="0b43276e" />
<table>
    <tr>
      <td>
         <keygen class="skip" name="cert_spkac" id="spkac"
value="2048"></keygen>
         <input type="hidden" name="cert_pkcs10" id="pkcs10">

      </td>
    </tr>
    <tr>
      <th><label for="cert-name">Name</label></th>
      <td>
        <input type="text" id="cert-name" name="cert_label" maxlength="64" />
        <br /><span class="example">
          e.g. <q>home</q>, <q>work</q>, <q>laptop</q></span>

      </td>
    </tr>
------- Comment #2 From 2009-12-07 19:41:14 ------- 
Pruning what features go in 2.0 based on what is required for CILogon service.
This will go into post-2.0 release.

Also don't see why this blocks 6845 so removing that.
------- Comment #3 From 2010-06-29 10:44:22 ------- 
See also:
http://lists.globus.org/pipermail/myproxy-user/2010-June/000197.html

Looks like this will require myproxy-server changes to support the
browser-generated certificate request message(s).
------- Comment #4 From 2010-07-08 10:30:01 ------- 
Note MyProxy currently expects a PKCS#10 (RFC 2986) certificate request.
CRMFRequest generates an RFC 4211 Certificate Request Message Format (CRMF)
object. KeyGen creates a SignedPublicKeyAndChallenge (SPKC) (see Bug 7064 for
the needed myproxy-server SPKC support). What does IE need? Need to do more
research.
First Last Prev Next    No search results available