W3C home > Mailing lists > Public > public-webpayments@w3.org > July 2015

Google proposing to deprecate KEYGEN

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 30 Jul 2015 17:12:52 +0200
To: Web Payments CG <public-webpayments@w3.org>
Message-ID: <55BA3EF4.1030603@gmail.com>
Melvin C provided this link.  Thanx!

https://groups.google.com/forum/#!msg/mozilla.dev.platform/pAUG2VQ6xfQ/FKX63BwOIwAJ <https://groups.google.com/forum/#%21msg/mozilla.dev.platform/pAUG2VQ6xfQ/FKX63BwOIwAJ>

Although KEYGEN is pretty useless, Google/Ryan's take on X.509 certificate authentication on
the web is way off.  It seems that the security/privacy concerns have now reached a level
where everybody is focusing *crippling* browsers.  As a user of X.509 authentication to
e-governments I can attest that it is very convenient to not have a separate key or password
for every little department out there.  How can I trust the departments for not tracking me?

Well, Google's U2F will effectively require an email address everywhere and that is *at least as*
tracking as a certificate with an SSN (which obviously is only used in contexts where an SSN
is relevant).

That is, non-tracking is a combination of legal, technical and trust-issues.  The hope that some
cool tech-stuff completely solves this is simply silly, unless you go to extremes which probably
only a fraction of all users are interested in.

Anders
Received on Thursday, 30 July 2015 15:13:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:41 UTC