- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Wed, 2 Sep 2015 00:22:20 +0200
- To: TAG List <www-tag@w3.org>, Ian Hickson <ian@hixie.ch>
- Message-ID: <CAKaEYhJeyY4+WMYKCsO0PGJ114RehGxEL+vmP=P-_Bxsm+w+UQ@mail.gmail.com>
FYI: There was a recent discussion about deprecating an existing HTML element (keygen) from the w3c and/or whatwg specs, a time line for doing so. I believe timbl suggested putting it on the radar of the tag, so I thought I'd give it a try. The keygen element is currently in use. There were some reasonable arguments, imho, both for and against. I think there was an effort create an argument and time line for deprecation, that various stake holders could be comfortable with, and having an adequate replacement. I think there was a concern that the communication streams were not as well targeted as they could have been, spread over mailing list, google groups, github issues, pull requests etc. With the arguments as to what the alternatives would be for current implementations not 100% clear. At the same time pull requests were made to various specs. And changes to wikis with deprecation disclaimers, over a relatively short space of time. I think an argument was that major industry players are backing the work done at FIDO alliance, to be an alternative to existing work. However, it's not clear the FIDO spec is complete and will be a like for like replacement. From what I could gather the latest feeling was that the element is at risk and could be deprecated in 12-18 months based on current projections, and that implementors should be warned. There were also good suggestions about in the mean time improving the existing API and user interfaces. Perhaps this could be a good case study for the tag, in terms of optimizing process and communications, for this and future changes. ---------- Forwarded message ---------- From: Ian Hickson <ian@hixie.ch> Date: 1 September 2015 at 19:56 Subject: Re: [whatwg] deprecating <keygen> To: "henry.story@bblfish.net" <henry.story@bblfish.net> Cc: whatwg@whatwg.org On Tue, 1 Sep 2015, henry.story@bblfish.net wrote: > > As the WhatWG only recenly moved to Github members here may not have > noticed that <keygen> has been deprecated. > > I opened https://github.com/whatwg/html/issues/67 to give space for the > discussion. It is a pitty that this was closed so quickly ( within an > hour ) without giving members and the public ( the users of the web ) > time to comment nor for their voice to be heard. > > This is a complex issue that involves many different levels of > expertise, and it should not be handled so lightly. The spec just reflects implementations. The majority of implementations of <keygen> (by usage) have said they want to drop it, and the other major implementation has never supported it. The element was originally (and for many years) purely a mostly-undocumented proprietary extension; at the time it was invented, the HTML spec was edited by the W3C and the W3C did not add it (they only ended up speccing it in their most recent HTML spec because they forked the WHATWG's spec which did define it -- indeed, even then, it was something that W3C HTML working group members argued should not have been included). It was only added to the WHATWG spec because one of the browser vendors said they could not remove support for it due to usage by enterprise customers; that browser vendor is now amongst one of the ones wanting to drop it. As far as I can tell, therefore, things here are working exactly as one should expect. It's worth noting that <keygen> is a pretty terrible API. I recommend approaching the groups writing new cryptography APIs, explaining your use cases, and making sure they are supported in up-and-coming, more widely supported, more secure, and more well-thought-out APIs. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 1 September 2015 22:22:49 UTC