W3C home > Mailing lists > Public > www-tag@w3.org > December 2015

Re: keygen and client-certificates document available

From: Graham Leggett <minfrin@sharp.fm>
Date: Fri, 4 Dec 2015 13:39:30 +0200
Cc: "www-tag@w3.org" <www-tag@w3.org>
Message-Id: <46E0FE44-F428-4B85-B97E-54D6A9534890@sharp.fm>
To: Travis Leithead <travis.leithead@microsoft.com>
On 01 Dec 2015, at 12:21 AM, Travis Leithead <travis.leithead@microsoft.com> wrote:

> In September, Tim posted about <keygen> [1] which started a conversation about it on this list. The TAG has since met and discussed this topic, and we now have a document published with our latest thoughts. This document has our rough consensus at this point, and we additionally welcome feedback from you. As such, we’ve put the doc in a Repo [2] that has an issue tracker, so feel free to open issues against this document and we’ll do our best to resolve them. Thanks!
>  
> Keygen and client certificates document: http://w3ctag.github.io/client-certificates/ <http://w3ctag.github.io/client-certificates/>
>  
> [1] http://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html <http://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html>
> [2] https://github.com/w3ctag/client-certificates <https://github.com/w3ctag/client-certificates>
I urge people to take this process seriously, so we don’t have another repeat of the crypto.signText() fiasco that Firefox caused last year:

https://bugzilla.mozilla.org/show_bug.cgi?id=1030963 <https://bugzilla.mozilla.org/show_bug.cgi?id=1030963>
https://bugzilla.mozilla.org/show_bug.cgi?id=1083118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1083118>

TL;DR: 

"So far people seem to think this is a good idea” to remove the crypto.signText() function without any research into the people it impacts, and without any replacement technology offered. In the process they DoSed online banking in Bulgaria and Argentina, the Spanish Public Administration and Belgian Supreme Administrative Court.

Firebox was forced to revert the change, and then implement an add-on as follows, which for a long time was offered unsigned (!!!!): https://addons.mozilla.org/en-GB/firefox/addon/signtextjs/ <https://addons.mozilla.org/en-GB/firefox/addon/signtextjs/>

What I expect to happen is that a suitable and agreed replacement is built and widely deployed BEFORE anyone tries to remove keygen. Chrome mobile lacks keygen, which is how I was alerted to this embarrassing mess to begin with after a user complained.

Regards,
Graham
—
Received on Friday, 4 December 2015 11:40:04 UTC

This archive was generated by hypermail 2.3.1 : Friday, 4 December 2015 11:40:04 UTC