- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 6 Dec 2015 08:05:07 +0100
- To: Mark Nottingham <mnot@mnot.net>, Martin Thomson <martin.thomson@gmail.com>
- Cc: Travis Leithead <travis.leithead@microsoft.com>, "www-tag@w3.org" <www-tag@w3.org>
On 2015-12-06 00:44, Mark Nottingham wrote: > On 4 Dec 2015, at 7:47 pm, Martin Thomson <martin.thomson@gmail.com> wrote: >> <snip> >> Does the TAG have consensus that <keygen> (and friends) is worth >> replacing? > > Section 5 starts: > "The keygen element should be replaced by a new API better suited for modern day application requirements." > > By "and friends", do you mean client certificates? That would be a much broader discussion. If this wasn't the underlaying issue (orgin-unbound client certificates = useless/dangerous/etc), <keygen> would probably have been updated years ago. Since such a discussion has no chance of getting anywhere (=consensus with respect to vendors versus the "market"), the only working long-term solution is removing this part from the browser and "let people do what they want to do" like they currently do with Android and iPhone "Apps". The recent buy-in by Mozilla and Microsoft to Chrome's Native Messaging [1] system makes both <keygen> and client-certificate support in Chrome a non-issue. It has already been put in production by the Estonian government for eID support. Anders 1] https://lists.w3.org/Archives/Public/public-webappsec/2015Oct/0071.html
Received on Sunday, 6 December 2015 07:05:44 UTC