W3C home > Mailing lists > Public > www-tag@w3.org > September 2015

Re: Agenda: <keygen> being destroyed when we need it

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 2 Sep 2015 16:53:55 +0200
Message-ID: <CAKaEYh+8BPP9p+qzKK0fjFE5k3hoPX-6oLUTPT_wwRkDpixN8g@mail.gmail.com>
To: Wendy Seltzer <wseltzer@w3.org>
Cc: Tim Berners-Lee <timbl@w3.org>, TAG List <www-tag@w3.org>
On 2 September 2015 at 14:15, Wendy Seltzer <wseltzer@w3.org> wrote:

> On 09/02/2015 04:06 AM, Melvin Carvalho wrote:
> > On 1 September 2015 at 16:08, Tim Berners-Lee <timbl@w3.org> wrote:
> >
> >> Folks
> >>
> >> There is a strong move my Google chrome team followed by Firefox to
> remove
> >> the <keygen> tag from HTML5.   This has been done without an issue being
> >> raised in the WHATWG  or HTMLWG apparently.
> >>
> >> <keygen> is important because it allows authentication systems to be
> build
> >> in a distributed manner. It allows any Mom and Pop shop place to share
> >> public keys for people they trust.    For example, MIT uses it to create
> >> secure relationship with faculty and staff, and I use it for friends and
> >> family.
> >>
> >> Public key asymmetric crypto is generally so much stronger than the
> >> password-based authentication.  It requires certificate management code
> to
> >> be written.
> >>
> >
> > IMHO we need an area of the browser under a user's control
>
> That seems like a different, and more interesting requirement than
> "keygen."
>
> Keygen was a poorly designed, inconsistently implemented feature, that
> many sophisticated users and developers found confusing. If we can
> instead define what features we want to be able to build, and what they
> depend on that's not provided by WebCrypto, and think about how we can
> enable users to access these features without opening themselves up to
> be phished or tracked, that feels like a more productive avenue for
> discussion than "bring back keygen".
>

Looking at the latest Credential Management spec (Sep 2)

This kind of functionality looks quite promising in terms of helping to
replace existing functionality

https://w3c.github.io/webappsec/specs/credentialmanagement/#user-mediated-selection

A UI mockup here

https://w3c.github.io/webappsec/specs/credentialmanagement/mock-chooser.png

But I dont think it's yet in widespread use.


>
> --Wendy
>
>
> --
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>
>
Received on Wednesday, 2 September 2015 14:54:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:12 UTC