- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Wed, 30 Mar 2016 19:09:04 +0200
- To: Dave Longley <dlongley@digitalbazaar.com>
- Cc: Graham Leggett <minfrin@sharp.fm>, TAG List <www-tag@w3.org>, Tim Berners-Lee <timbl@w3.org>, Henry Story <henry.story@bblfish.net>
- Message-ID: <CAKaEYhJx1WO9VrsRRx43ZzJChEBN1vf09cPpP-Qs6pu1WQNJDQ@mail.gmail.com>
On 30 March 2016 at 18:23, Dave Longley <dlongley@digitalbazaar.com> wrote: > On 03/30/2016 12:09 PM, Graham Leggett wrote: > >> On 30 Mar 2016, at 6:00 PM, Dave Longley <dlongley@digitalbazaar.com> >> wrote: >> >> As a quick, temporary replacement for keygen, you should be able to >>> use forge (or forge + WebCrypto) to generate a keypair and wrap it >>> in a PKCS#12 container that can be downloaded via a link that, when >>> clicked, may bring up an import dialog in the user's browser. They >>> may have to save the file first before importing, I'm not sure. >>> >>> forge: https://github.com/digitalbazaar/forge >>> >>> There's some somewhat messy X.509 cert creation and PKCS#12 code >>> that could be adapted from this issue: >>> >>> https://github.com/digitalbazaar/forge/issues/211#issuecomment-85447100 >>> >> >> >>> >>> Does this guarantee that the key was a) generated on the client side >> only (and not anywhere else and injected into the conversation), and >> b) that this key cannot be subsequently exported and uploaded to >> some third party location under the control of third party server >> code? >> > > The short answer is "No", as there is presently no direct replacement > for keygen. I was just offering a quick temporary fix. If it's true that > keygen has now been removed (not just deprecated), I would expect that > systems that relied upon it need *something* that they can throw > together quickly in the interim (meaning, until some other replacement > can solve their problem long term). > As I understand it keygen is NOT removed in firefox (or most versions of other browsers). What I heard (perhaps someone will confirm) is that Mozilla will take the TAG advice, to remove existing functionality that is in use, only after it has been adequately replaced. > > The longer answer is that the key pair is, in fact, generated > client-side, however, using code that is controlled by the website. That > site must be trusted not to do anything nefarious with the private key > while the site has access to it. Once the key pair has been exported to > a PKCS#12 and imported into the user's local key store, and the site has > been navigated away from, the website has no access to the private key, > should, for example, the site become compromised in the future. > > > > -- > Dave Longley > CTO > Digital Bazaar, Inc. > http://digitalbazaar.com >
Received on Wednesday, 30 March 2016 17:09:34 UTC