diff --git a/source/future.rst b/source/future.rst index ad50410..0798216 100644 --- a/source/future.rst +++ b/source/future.rst @@ -237,6 +237,26 @@ could just use information from the client certificates issued by our CA. We could use OAuth2 or OpenID Connect for our own infrastructure too. +Client certificate enrollment in browser +---------------------------------------- + +The ancient ``keygen`` tag is not implemented by modern browsers and needs a +replacement to allow easy enrollment of client certificates for users that are +not capable to use external tools. There is :bug:`1417` filed by affected +users. + +There are JavaScript libraries like https://pkijs.org/ and +https://github.com/digitalbazaar/forge that support the cryptographic +operations. + +There are already two prototype implementations by Bernhard and Jan that could +be integrated with the current or a new future web application. + +- Bernhard's proof of concept with a subset of pkijs + https://secure.convey.de/publish/ted/TestPKI.html +- Jan's proof of concept with the forge library + https://git.dittberner.info/jan/browser_csr_generation + Cross cutting concerns ======================