[whatwg] Questions about the keygen element specification from Mounir Lamouri on 2010-04-11 (public-whatwg-archive@w3.org from April 2010)

From: Mounir Lamouri <mounir.lamouri@gmail.com>
Date: Sun, 11 Apr 2010 16:06:06 +0200
Message-ID: <4BC1D74E.2010701@gmail.com>

Hi,

I have a few questions about the keygen element specification.

First of all, the keytype attribute should specify which algorithm to
use but it can be in the 'unknown state' and "it is possible for a user
agent to not support any key types at all.". I do not understand why the
keygen element would be implemented with no supported keytype. It would
be really weird and confusing to have a keygen element with no keytype.
Also I do not understand why the keytype list is not exhaustive. It
would lead to situations where UA X introduce a new keytype (and to make
it worses with patents to make it impossible to use by other UA). If
this keytype becomes a de-facto standard, it would be very bad.
Moreover, with the present specification, a website can't seriously use
the keygen element because it wouldn't know if the algorithm it wants to
use will be supported, even RSA.
In my opinion, the keytype list should be exhaustive and the invalid and
missing values should be the RSA state.

Then, there is the UI aspect of the element. This element is an
'Interactive content' and accept the 'autofocus' attribute but there is
no really UI aspects mentioned in the specifications. The keygen element
description mentions this: "The user agent may expose a user interface
for each keygen element to allow the user to configure settings of the
element's key pair generator, e.g. the key length." and the "represents"
section mentions: "When the keygen binding applies to a keygen element,
the element is expected to render as an 'inline-block' box containing a
user interface to configure the key pair to be generated.".
I'm wondering if the specifications consider the UI aspect as out of the
specifications because the key is generated locally and only the result
is sent with the form values. Most current implementation of the keygen
element (which are not folowing this specification) lets the user choose
a key length and a text field. Do you think this should be specified ?
In addition, the key length (and maybe other variables used to generate
the key) may be exposed with an IDL attribute. It may help websites to
check the key is secured enough.

Thanks,
--
Mounir

Received on Sunday, 11 April 2010 07:06:06 UTC