Re: [whatwg] deprecating <keygen> from Ian Hickson on 2015-09-03 (public-whatwg-archive@w3.org from September 2015)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 3 Sep 2015 19:27:11 +0000 (UTC)
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: WHATWG <whatwg@whatwg.org>, Philip Jägenstedt <philipj@opera.com>, "henry.story@bblfish.net" <henry.story@bblfish.net>
Message-ID: <alpine.DEB.2.00.1509031916360.23815@ps20323.dreamhostps.com>

On Thu, 3 Sep 2015, Melvin Carvalho wrote:
> >
> > The post foolip pointed to points out that <keygen> is actually rather 
> > insecure (e.g. using MD5). One could argue that _keeping_ <keygen> is 
> > actually more harmful to asymetric-key cryptography than removing 
> > it...
> 
> Im not an expert here, but my understanding from reading some wikipedia 
> articles was that a preimage attack on md5 was 2^123.  If so, isnt that 
> pretty secure?  I asked on the blink thread why md5 was thought to be 
> insecure, but no one was able to answer, or point to a reference.  It 
> would be great to understand if there is a feasible attack here.

Wikipedia's article on MD5 is pretty comprehensive:

   https://en.wikipedia.org/wiki/MD5

> Looking at:
> 
> SignedPublicKeyAndChallenge ::= SEQUENCE {
>     publicKeyAndChallenge PublicKeyAndChallenge
> <http://www.w3.org/html/wg/drafts/html/master/semantics.html#publickeyandchallenge>,
>     signatureAlgorithm AlgorithmIdentifier,
>     signature BIT STRING
> }
> 
> 
> http://www.w3.org/html/wg/drafts/html/master/semantics.html#the-keygen-element

That's the W3C's fork of the specification. The relevant spec for this 
mailing list is:

   https://html.spec.whatwg.org/multipage/#the-keygen-element

I wouldn't use the W3C's fork for discussions here because the W3C version 
has many subtle differences and it can cause us great confusion when 
discussing these issues.

> There appears to be a field signatureAlgorithm.  Does that not suggest 
> that switching away from MD5 is future proofed?

In principle <keygen> itself could have new signature algorithms added. 
This of course wouldn't be backwards compatible (in that it wouldn't be 
supported by legacy UAs or legacy servers), so it would be no different 
than introducing an entirely new feature that didn't suffer from all the 
other problems that <keygen> suffers from.

This is somewhat academic, though. When there are no browser vendors 
supporting a particular feature, arguing about how it could be improved 
misses the point. That's why we added a warning to the spec.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 3 September 2015 19:27:38 UTC