Re: <keygen> from Anders Rundgren on 2015-09-06 (public-credentials@w3.org from September 2015)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 6 Sep 2015 08:28:45 +0200
To: Timothy Holborn <timothy.holborn@gmail.com>, public-webid@w3.org, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <55EBDD1D.10208@gmail.com>

On 2015-09-06 08:04, Timothy Holborn wrote:
>
> On 15:02, Sun, 06/09/2015 Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2015-09-06 04:28, Timothy Holborn wrote:
>      > Is there any good reason why <keygen> should no longer be supported?
>
>     If you look a bit deeper into the thread, it is rather X.509 certificates
>     for user authentication on the Web that is questioned.   Removing <keygen> is
>     a first step for removing the rest.
>
>
> Is there a security problem that means it should never be used?
>
> If not; Does leaving it in, create any compatibility issues with anything new?

Personally I think we are discussing the wrong topic.

Since the vendor that has 80% market share on the desktop have already removed
support for their counterpart to <keygen> in Edge and made it much more difficult
to use in IE11 (default turned off) there's obviously a strong vendor movement
towards eventually disabling HTTPS client-certification on the Web.  The reasons
for this deprecation have AFAICT never been discussed in any W3C forum.

As I have written numerous times, the really big users of x.509 saw this coming
years ago and have nowadays turned to "Apps" which give developers much more
options than a Web dictated by a small elite of fairly non-pragmatic people.

Anders

>
>
>     BTW, Microsoft's new Browser "Edge" has (as far as I understand) already removed
>     support for Web-based enrollment since CertEnroll builds on ActiveX which also is removed.
>     For enterprise enrollment Microsoft has never relied on the Web
>
>     Anders
>
>      >
>      > I get having alternatives, thinking its good for flexibility and innovation yet
>       > bit like religions, conscription of a particular method isn't the best option.
>      >
>      > So I haven't got clarity as to why it needs to be depreciated, regardless of any other emerging alternatives...
>      >
>      > Can someone enlighten me?
>      >
>      > Tim.h.
>      >
>
>

Received on Sunday, 6 September 2015 06:30:04 UTC