W3C home > Mailing lists > Public > www-tag@w3.org > December 2015

Re: keygen and client-certificates document available

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 6 Dec 2015 08:05:07 +0100
To: Mark Nottingham <mnot@mnot.net>, Martin Thomson <martin.thomson@gmail.com>
Cc: Travis Leithead <travis.leithead@microsoft.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <5663DE23.9080503@gmail.com>
On 2015-12-06 00:44, Mark Nottingham wrote:
> On 4 Dec 2015, at 7:47 pm, Martin Thomson <martin.thomson@gmail.com> wrote:
>>
<snip>

>> Does the TAG have consensus that <keygen> (and friends) is worth
>> replacing?
>
> Section 5 starts:
>    "The keygen element should be replaced by a new API better suited for modern day application requirements."
>
> By "and friends", do you mean client certificates? That would be a much broader discussion.

If this wasn't the underlaying issue (orgin-unbound client certificates = useless/dangerous/etc),
<keygen> would probably have been updated years ago.

Since such a discussion has no chance of getting anywhere (=consensus with respect to
vendors versus the "market"), the only working long-term solution is removing this part
from the browser and "let people do what they want to do" like they currently do with
Android and iPhone "Apps".

The recent buy-in by Mozilla and Microsoft to Chrome's Native Messaging [1]
system makes both <keygen> and client-certificate support in Chrome a non-issue.
It has already been put in production by the Estonian government for eID support.

Anders

1] https://lists.w3.org/Archives/Public/public-webappsec/2015Oct/0071.html
Received on Sunday, 6 December 2015 07:05:44 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 6 December 2015 07:05:44 UTC