Re: Agenda: <keygen> being destroyed when we need it

On 09/02/2015 04:06 AM, Melvin Carvalho wrote:
> On 1 September 2015 at 16:08, Tim Berners-Lee <timbl@w3.org> wrote:
> 
>> Folks
>>
>> There is a strong move my Google chrome team followed by Firefox to remove
>> the <keygen> tag from HTML5.   This has been done without an issue being
>> raised in the WHATWG  or HTMLWG apparently.
>>
>> <keygen> is important because it allows authentication systems to be build
>> in a distributed manner. It allows any Mom and Pop shop place to share
>> public keys for people they trust.    For example, MIT uses it to create
>> secure relationship with faculty and staff, and I use it for friends and
>> family.
>>
>> Public key asymmetric crypto is generally so much stronger than the
>> password-based authentication.  It requires certificate management code to
>> be written.
>>
> 
> IMHO we need an area of the browser under a user's control

That seems like a different, and more interesting requirement than
"keygen."

Keygen was a poorly designed, inconsistently implemented feature, that
many sophisticated users and developers found confusing. If we can
instead define what features we want to be able to build, and what they
depend on that's not provided by WebCrypto, and think about how we can
enable users to access these features without opening themselves up to
be phished or tracked, that feels like a more productive avenue for
discussion than "bring back keygen".

--Wendy


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Wednesday, 2 September 2015 12:15:19 UTC