[whatwg] <keygen> tag

On Fri, 15 Jan 2010, Bruno Harbulot wrote:
> 
> Whilst I'm very supportive of having a key-generation mechanism in the 
> browser, I'm now not entirely sure the <keygen> tag, at least as a 
> legacy of the Netscape <keygen> tag, is the correct approach.

Indeed. It's only in the spec because that's what browsers implement.


> More specifically:
> 
> 1. The more modern APIs (generateCRMFRequest on Firefox or 
> CertEnroll/XEnroll on Internet Explorer) appear to offer more options in 
> general, for example, where to store the private key, is it exportable, 
> etc. (I haven't looked in details, but I suspect it could be envisaged 
> to use some existing key material from a software store or smartcard 
> too, for example.) This raises the question as to whether a tag is 
> sufficient or appropriate to express what's required for a CA, or if an 
> API (and more programming) is required.
> 
> 2. The SPKAC format seems to be a legacy format. It doesn't really allow 
> to convey much information that CAs would expect, unlike other formats 
> used by the more modern APIs. Perhaps it would be better to use one of 
> the newer formats instead. This might break the compatibility with the 
> pre-HTML 5 use of <keygen> (maybe another name than <keygen> in HTML5 
> would be better?).

Agreed. I would encourage anyone interested in following up on this topic 
to write a specification for such an API and get it implemented in 
browsers. It doesn't have to be part of HTML, as it is really an 
independent specification.


> Of course, the other big question is whether it's worth trying to 
> standardise this <keygen> tag if there's no intent of support from major 
> browser vendors (I have IE in mind here).

Pages depend on one of two mechanisms. We can specify either one. The 
first is <keygen>. The second is ActiveX and the Win32 API.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 12 February 2010 04:31:45 UTC