Fortify is an open source application sponsored by a certificate authority through the CA Security Council and is now available for Windows and Mac. The Fortify application is free for all users and connects a user’s Web browser to a smart card, security token, and certificate on the user’s local computer. This allows users to generate X.509 certificates in their browsers, replacing the need for deprecated functionality.
Generate the certificate in the browser
The Web Cryptography API (also known as Web Crypto) provides a set of encryption capabilities for Web browsers through a set of JavaScript apis.
However, Web Crypto only provides cryptographic primitives – general systems and methods on which a particular system is based. For example, RSA is one of the primitives used to build public-key cryptosystems.
This is great for the Web as a platform – it gives developers easy access to cross-platform functionality. However, this also means that Web Crypto is not designed to contain use cases that are not considered important to the overall Web.
For example, Web Crypto does not address compatibility issues with hardware security devices (i.e., smart cards) or certificate generation. This poses a problem for certificate authorities (CAS) and their clients, as browsers currently lack the capability to generate code signatures and S/MIME certificates, which in turn is deprecated without replacement (part of the HTML specification).
Although deprecated for security vulnerabilities, the Web Crypto specification acknowledges that the API is not a direct substitute.
“While this API allows applications to generate, retrieve, and manipulate key materials, it does not specifically address the configuration of keys in specific types of key stores, such as security elements or smart cards.” For now, some browsers still support it, such as Firefox, but Mozilla’s developer site indicates that this feature is deprecated and may be removed in the future. But Google Chrome deprecated it in version 49 and removed it completely in version 57. Microsoft Edge does not support this feature and has no intention of doing so.
Without it, you lose a way to generate certificates locally through the browser in a user-friendly manner, but this is required to register consumer code signatures and S/MIME certificates. Fortify can now fill that void.
Fortify extends the Web Crypto API to include support for certificates and smart cards
Fortify is a flexible application that provides a link between a Web browser (or other user agent) and a certificate or smart card on a user’s local computer. While it’s not entirely seamless, as it requires the user to install an additional application, it does fill the void of deprecation creation, and can offer more functionality than that.
Fortify extends the Web Crypto API by directly addressing key functions that the API was not designed to handle, primarily by allowing Web applications to access smart cards, hardware security tokens (such as Yubikey 4 and NEO), and local certificate stores (for X.509 certificates). Web sites and Web applications that support the Web Crypto API can easily start supporting Fortify access to these local devices and certificates.
Fortify provides an authority model that allows users to control, allowing them to approve and manage which sources (sites) can take advantage of its powerful capabilities. For CAS, Fortify can replace the requirement for certificate and key generation by allowing browser-based registration forms to connect to the user’s local certificate store.
Currently, if the user’s default Settings are not supported, the CA has no choice but to redirect the user to another Web browser. In Firefox, the user must conduct the export process separately because the browser uses a separate keystore from the operating system. When installed, Fortify provides a better user experience than a typical browser.
Because it does not itself integrate with the PKCS# 11 API, it also requires the user to take additional steps to import the keystore, which creates opportunities for poor key management. Not only does it provide a sub-user experience, it also provides a low level of security. The certificate is exported from the browser as a. P12 file, which can be password protected but usually uses weak encryption algorithms that are vulnerable to cracking. This allows for weaker security controls on the user’s private key.
When a certificate is generated using a hardware token or HSM, Fortify can connect to it through its PKCS# 11 library to ensure that the key has been created and retained on the device. Support for the open source PKCS# 11 standard is an interoperable and reliable way to support a wide variety of hardware tokens in use today.
We think this is a significant improvement on a user experience that is outdated due to its age and design goals. It’s worth noting that Fortify addresses this issue in a healthy way for the web ecosystem. Fortify allows CA to extend the capabilities of Web Crypto beyond the W3C specification, giving the industry a reliable way to meet its needs without having to include features that are unsuitable for most users and thus reduce the size of the browser.
Web applications that support Web Crypto can also use Fortify to register other types of X.509 certificates as a means of signing/encrypting documents and authenticating users using client certificates.
Fortify is open source, compatible with Windows 7+ and OSX 10.12+, and works with all major browsers. For more information on how to generate certificates using Fortify, contact your certificate authority.
[from SSL China]