Re: keygen and client-certificates document available from Graham Leggett on 2015-12-04 (www-tag@w3.org from December 2015)

From: Graham Leggett <minfrin@sharp.fm>
Date: Fri, 4 Dec 2015 13:39:30 +0200
To: Travis Leithead <travis.leithead@microsoft.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>
Message-Id: <46E0FE44-F428-4B85-B97E-54D6A9534890@sharp.fm>

On 01 Dec 2015, at 12:21 AM, Travis Leithead <travis.leithead@microsoft.com> wrote:

> In September, Tim posted about <keygen> [1] which started a conversation about it on this list. The TAG has since met and discussed this topic, and we now have a document published with our latest thoughts. This document has our rough consensus at this point, and we additionally welcome feedback from you. As such, we’ve put the doc in a Repo [2] that has an issue tracker, so feel free to open issues against this document and we’ll do our best to resolve them. Thanks!
>  
> Keygen and client certificates document: http://w3ctag.github.io/client-certificates/ <http://w3ctag.github.io/client-certificates/>
>  
> [1] http://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html <http://lists.w3.org/Archives/Public/www-tag/2015Sep/0000.html>
> [2] https://github.com/w3ctag/client-certificates <https://github.com/w3ctag/client-certificates>
I urge people to take this process seriously, so we don’t have another repeat of the crypto.signText() fiasco that Firefox caused last year:

https://bugzilla.mozilla.org/show_bug.cgi?id=1030963 <https://bugzilla.mozilla.org/show_bug.cgi?id=1030963>
https://bugzilla.mozilla.org/show_bug.cgi?id=1083118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1083118>

TL;DR: 

"So far people seem to think this is a good idea” to remove the crypto.signText() function without any research into the people it impacts, and without any replacement technology offered. In the process they DoSed online banking in Bulgaria and Argentina, the Spanish Public Administration and Belgian Supreme Administrative Court.

Firebox was forced to revert the change, and then implement an add-on as follows, which for a long time was offered unsigned (!!!!): https://addons.mozilla.org/en-GB/firefox/addon/signtextjs/ <https://addons.mozilla.org/en-GB/firefox/addon/signtextjs/>

What I expect to happen is that a suitable and agreed replacement is built and widely deployed BEFORE anyone tries to remove keygen. Chrome mobile lacks keygen, which is how I was alerted to this embarrassing mess to begin with after a user complained.

Regards,
Graham
—

Received on Friday, 4 December 2015 11:40:04 UTC