On 2015-12-06 00:44, Mark Nottingham wrote: > On 4 Dec 2015, at 7:47 pm, Martin Thomson <martin.thomson@gmail.com> wrote: >> <snip> >> Does the TAG have consensus that <keygen> (and friends) is worth >> replacing? > > Section 5 starts: > "The keygen element should be replaced by a new API better suited for modern day application requirements." > > By "and friends", do you mean client certificates? That would be a much broader discussion. If this wasn't the underlaying issue (orgin-unbound client certificates = useless/dangerous/etc), <keygen> would probably have been updated years ago. Since such a discussion has no chance of getting anywhere (=consensus with respect to vendors versus the "market"), the only working long-term solution is removing this part from the browser and "let people do what they want to do" like they currently do with Android and iPhone "Apps". The recent buy-in by Mozilla and Microsoft to Chrome's Native Messaging [1] system makes both <keygen> and client-certificate support in Chrome a non-issue. It has already been put in production by the Estonian government for eID support. Anders 1] https://lists.w3.org/Archives/Public/public-webappsec/2015Oct/0071.htmlReceived on Sunday, 6 December 2015 07:05:44 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:13 UTC