- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Wed, 2 Sep 2015 16:08:25 +0200
- To: Wendy Seltzer <wseltzer@w3.org>
- Cc: Tim Berners-Lee <timbl@w3.org>, TAG List <www-tag@w3.org>
- Message-ID: <CAKaEYhKh++YRNro0+RWxzw4S334Rh2FnRB0-=yR-6oo1zK4OWg@mail.gmail.com>
On 2 September 2015 at 14:15, Wendy Seltzer <wseltzer@w3.org> wrote: > On 09/02/2015 04:06 AM, Melvin Carvalho wrote: > > On 1 September 2015 at 16:08, Tim Berners-Lee <timbl@w3.org> wrote: > > > >> Folks > >> > >> There is a strong move my Google chrome team followed by Firefox to > remove > >> the <keygen> tag from HTML5. This has been done without an issue being > >> raised in the WHATWG or HTMLWG apparently. > >> > >> <keygen> is important because it allows authentication systems to be > build > >> in a distributed manner. It allows any Mom and Pop shop place to share > >> public keys for people they trust. For example, MIT uses it to create > >> secure relationship with faculty and staff, and I use it for friends and > >> family. > >> > >> Public key asymmetric crypto is generally so much stronger than the > >> password-based authentication. It requires certificate management code > to > >> be written. > >> > > > > IMHO we need an area of the browser under a user's control > > That seems like a different, and more interesting requirement than > "keygen." > keygen puts a keypair/certificate into an area of the browser (chrome) that is under user control, in the sense that the key material is protected from downloaded javascript, but the user has - ability to manage the key/certificate (view / import / export) - ability to choose when this key is used > > Keygen was a poorly designed, inconsistently implemented feature, that > many sophisticated users and developers found confusing. If we can > instead define what features we want to be able to build, and what they > depend on that's not provided by WebCrypto, and think about how we can > enable users to access these features without opening themselves up to > be phished or tracked, that feels like a more productive avenue for > discussion than "bring back keygen". > I there are good UIs already implemented in most browsers, for example, for sharing location. Your location is under your control, but you can choose when you want to share it. Similarly, if keygen were able to > > --Wendy > > > -- > Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) > Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) > http://wendy.seltzer.org/ +1.617.863.0613 (mobile) > >
Received on Wednesday, 2 September 2015 14:08:55 UTC