- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Wed, 2 Sep 2015 08:15:15 -0400
- To: Melvin Carvalho <melvincarvalho@gmail.com>, Tim Berners-Lee <timbl@w3.org>
- Cc: TAG List <www-tag@w3.org>
On 09/02/2015 04:06 AM, Melvin Carvalho wrote: > On 1 September 2015 at 16:08, Tim Berners-Lee <timbl@w3.org> wrote: > >> Folks >> >> There is a strong move my Google chrome team followed by Firefox to remove >> the <keygen> tag from HTML5. This has been done without an issue being >> raised in the WHATWG or HTMLWG apparently. >> >> <keygen> is important because it allows authentication systems to be build >> in a distributed manner. It allows any Mom and Pop shop place to share >> public keys for people they trust. For example, MIT uses it to create >> secure relationship with faculty and staff, and I use it for friends and >> family. >> >> Public key asymmetric crypto is generally so much stronger than the >> password-based authentication. It requires certificate management code to >> be written. >> > > IMHO we need an area of the browser under a user's control That seems like a different, and more interesting requirement than "keygen." Keygen was a poorly designed, inconsistently implemented feature, that many sophisticated users and developers found confusing. If we can instead define what features we want to be able to build, and what they depend on that's not provided by WebCrypto, and think about how we can enable users to access these features without opening themselves up to be phished or tracked, that feels like a more productive avenue for discussion than "bring back keygen". --Wendy -- Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) http://wendy.seltzer.org/ +1.617.863.0613 (mobile)
Received on Wednesday, 2 September 2015 12:15:19 UTC