W3C home > Mailing lists > Public > public-credentials@w3.org > September 2015

Re: <keygen>

From: Henry Story <henry.story@co-operating.systems>
Date: Sun, 6 Sep 2015 08:36:16 +0200
Cc: public-webid@w3.org, W3C Credentials Community Group <public-credentials@w3.org>
Message-Id: <6AFB733C-21E0-4779-9939-B96FD1475411@co-operating.systems>
To: Timothy Holborn <timothy.holborn@gmail.com>

> On 6 Sep 2015, at 04:28, Timothy Holborn <timothy.holborn@gmail.com> wrote:
> 
> Is there any good reason why <keygen> should no longer be supported?
> 
> I get having alternatives, thinking its good for flexibility and innovation yet bit like religions, conscription of a particular method isn't the best option.
> 
> So I haven't got clarity as to why it needs to be depreciated, regardless of any other emerging alternatives...
> 
> 

The main security reason given against it was that it uses MD5 and that that creates a huge security hole
and that this cannot be changed. All of this is completely dishonest, not least that MD5 is completely irrelevant to keygen, as explained in issue 102 at the whatwg that was immediatly closed though.

https://github.com/whatwg/html/issues/102 <https://github.com/whatwg/html/issues/102>


Henry
> Can someone enlighten me?
> 
> Tim.h.
> 
Received on Sunday, 6 September 2015 06:36:51 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:25 UTC