Key Generation in Edge Browser <keygen>

%3CLINGO-SUB%20id%3D%22lingo-sub-1787272%22%20slang%3D%22en-US%22%3EKey%20Generation%20in%20Edge%20Browser%20%3CKEYGEN%3E%3C%2FKEYGEN%3E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1787272%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20code%20signing%2C%20or%20document%20signing%2C%20or%20e-mail%20signing%20or%20login%20on%20small%20selection%20of%20restricted%20website%20a%20personal%20certificate%20is%20needed.%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20an%20individual%20wants%20to%20buy%20such%20a%20personal%20certificate%2C%20comes%20it%20to%20the%20question%20how%20the%20personal%20key%20will%20be%20generated.%20For%20sure%3A%20generating%20the%20key%20on%20the%20client%20side%20does%20not%20mean%20that%20it%20is%20much%20more%20secure%20as%20to%20generate%20it%20on%20the%20pki%20side.%20There're%20pros%20and%20cons.%3C%2FP%3E%3CP%3EBut%2C%20when%20Microsoft%20follows%20Googles%20approach%20(turned%20off%20key%20generation%20in%20Chrome)%20I%20don't%20have%20the%20choice%20-%20in%20the%20Microsoft%20on-for-all%20devices%20Browser.%20I%20need%20to%20switch%20to%20Firefox%20and%20come%20back%20to%20Edge%20-%20well%20mid%20be%20not%20a%20failure%20in%20preserve%20my%20private%20key.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20image%20that%20there%C2%B4re%20good%20reasons%20for%20Googles%20decision%2C%20but%20the%20audience%20for%20Edge%20is%20different.%20So%20I%20welcome%20a%20discussion%20about%20this%20feature.%3C%2FP%3E%3CP%3EIf%20you%20don%C2%B4t%20what%20I%20exactly%20mean%2C%20here%C2%B4s%20an%20example%20at%20step%205%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.globalsign.com%2Fdigital-certificates%2Fdigital-certificates-life-cycle%2Fhow-order-new-client-certificate%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.globalsign.com%2Fdigital-certificates%2Fdigital-certificates-life-cycle%2Fhow-order-new-client-certificate%3C%2FA%3E%26nbsp%3Bor%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.comodo.com%2Findex.php%3F%2FKnowledgebase%2FArticle%2FView%2F244%2F0%2Fwhich-browser-can-i-use-to-signup-for-a-code-signing-certificate%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.comodo.com%2Findex.php%3F%2FKnowledgebase%2FArticle%2FView%2F244%2F0%2Fwhich-browser-can-i-use-to-signup-for-a-code-signing-certificate%3C%2FA%3E%26nbsp%3Bor%20this%20%22Browser-based%20Installation%22%20is%20nice%20documented%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.globalsign.com%2Fpersonal-sign-email%2Fbrowser-installation-client-certificates%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.globalsign.com%2Fpersonal-sign-email%2Fbrowser-installation-client-certificates%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20forward%20to%20your%20comments%2C%3C%2FP%3E%3CP%3EDennis%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1787272%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ekeygen%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1787316%22%20slang%3D%22en-US%22%3ERe%3A%20Key%20Generation%20in%20Edge%20Browser%20%3CKEYGEN%3E%3C%2FKEYGEN%3E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1787316%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F147178%22%20target%3D%22_blank%22%3E%40Dennis%20Scherrer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKeygen%20HTML%20element%20is%20depreciated%20by%20the%20W3C%2C%20that's%20why%20Chrome%2FChromium%20followed%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAbout%20Firefox%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EObsolete%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSPAN%3EThis%20feature%20is%20obsolete.%20Although%20it%20may%20still%20work%20in%20some%20browsers%2C%20its%20use%20is%20discouraged%20since%20it%20could%20be%20removed%20at%20any%20time.%20Try%20to%20avoid%20using%20it.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTML%2FElement%2Fkeygen%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3C%2FA%3E%3CKEYGEN%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTML%2FElement%2Fkeygen%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20-%20HTML%3A%20HyperText%20Markup%20Language%20%7C%20MDN%20(mozilla.org)%3C%2FA%3E%3C%2FKEYGEN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1791665%22%20slang%3D%22en-US%22%3ERe%3A%20Key%20Generation%20in%20Edge%20Browser%20%3CKEYGEN%3E%3C%2FKEYGEN%3E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1791665%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20research%2C%20thank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F310193%22%20target%3D%22_blank%22%3E%40HotCakeX%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20does%20not%20change%20the%20requirement%20for%20a%20-%20let%20me%20call%20it%20-%20client%20side%20key%20generation.%3C%2FP%3E%3CP%3EIt%20is%20not%20a%20solution%20for%20indivuduals.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

For code signing, or document signing, or e-mail signing or login on small selection of restricted website a personal certificate is needed. 

When an individual wants to buy such a personal certificate, comes it to the question how the personal key will be generated. For sure: generating the key on the client side does not mean that it is much more secure as to generate it on the pki side. There're pros and cons.

But, when Microsoft follows Googles approach (turned off key generation in Chrome) I don't have the choice - in the Microsoft on-for-all devices Browser. I need to switch to Firefox and come back to Edge - well mid be not a failure in preserve my private key. 

I image that there´re good reasons for Googles decision, but the audience for Edge is different. So I welcome a discussion about this feature.

If you don´t what I exactly mean, here´s an example at step 5 https://support.globalsign.com/digital-certificates/digital-certificates-life-cycle/how-order-new-cl... or here https://support.comodo.com/index.php?/Knowledgebase/Article/View/244/0/which-browser-can-i-use-to-si... or this "Browser-based Installation" is nice documented https://support.globalsign.com/personal-sign-email/browser-installation-client-certificates 

Looking forward to your comments,

Dennis

3 Replies
Highlighted

@Dennis Scherrer 

Keygen HTML element is depreciated by the W3C, that's why Chrome/Chromium followed it.

 

About Firefox:

Obsolete
This feature is obsolete. Although it may still work in some browsers, its use is discouraged since it could be removed at any time. Try to avoid using it.

 

<keygen> - HTML: HyperText Markup Language | MDN (mozilla.org)

Highlighted

Great research, thank you @HotCakeX 

That does not change the requirement for a - let me call it - client side key generation.

It is not a solution for indivuduals.

Highlighted
True but those companies knowing that, they should use alternative technologies and there are better alternative technologies. asking individuals not to use Chromium based features (that are the most popular ones) for something like that is absurd.
instead of forcing people to use only a specific browser (which also is thinking about getting rid of that feature), they better think about using other ways to provide their service.