W3C home > Mailing lists > Public > public-credentials@w3.org > September 2015

Re: <keygen>

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Sun, 06 Sep 2015 07:31:33 +0000
Message-ID: <CAM1Sok2bWueb0a8yLQhWOd-=jy=rM4-v5tFXmJKEW17iiD=rvA@mail.gmail.com>
To: Henry Story <henry.story@co-operating.systems>
Cc: W3C Credentials Community Group <public-credentials@w3.org>, public-webid@w3.org
A.  what is the simple exercise that demonstrates this identified security
hole.

B. Does the security hole exist when the function is not used.

Does the apparent security flaw affect the use of a browser when the
function is not used by compatible software (inc. Web apps / pages)

So many people forget the day we all used floppies...  the idea of users
storing their data somewhere other than in the app, seems too hard for so
many that should remember the days of floppy disks...

On 16:36, Sun, 06/09/2015 Henry Story <henry.story@co-operating.systems>
wrote:

> On 6 Sep 2015, at 04:28, Timothy Holborn <timothy.holborn@gmail.com>
> wrote:
>
> Is there any good reason why <keygen> should no longer be supported?
>
> I get having alternatives, thinking its good for flexibility and
> innovation yet bit like religions, conscription of a particular method
> isn't the best option.
>
> So I haven't got clarity as to why it needs to be depreciated, regardless
> of any other emerging alternatives...
>
>
> The main security reason given against it was that it uses MD5 and that
> that creates a huge security hole
> and that this cannot be changed. All of this is completely dishonest, not
> least that MD5 is completely irrelevant to keygen, as explained in issue
> 102 at the whatwg that was immediatly closed though.
>
> https://github.com/whatwg/html/issues/102
>
>
> Henry
>
> Can someone enlighten me?
>
> Tim.h.
>
>
>
Received on Sunday, 6 September 2015 07:32:11 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:25 UTC