- From: Graham Leggett <minfrin@sharp.fm>
- Date: Wed, 16 Sep 2015 12:08:01 +0200
- To: Ryan Sleevi <sleevi@google.com>
- Cc: www-tag@w3.org
On 15 Sep 2015, at 11:29 AM, Ryan Sleevi <sleevi@google.com> wrote: > Well, that's not a productive advancement of the conversation. Yes, it is the case, because you can observe this today with both <keygen> and application/x-x509-user-cert, as your fellow WebID supporters encourage. > > Go to a site with a <keygen> tag in Safari or Chrome. See that it inserts a key in your (OS) key store. That’s not how keygen works. The keygen tag has to be part of a form, and renders a visible indication of the key size. The end user has to actively click on something before the key is generated. > Go to a site that delivers an application/x-x509-user-cert for a certificate that you have a key to. See that it inserts a certificate into your (OS) certificate store. > Go to a site that requests a TLS client certificate, and use the certificate you just created. See that there is no OS-mediated prompting. > > It's a demonstrably and factually false statement to claim there's an interactivity requirement, provided by the OS, by default. There isn't. Can a user configure one? Sure. Does their system quickly become (practically) unusable? Absolutely. Are there myriad ways to bypass those OS prompts? Yup. Sorry, but that’s untrue. At the very least (Firefox) you have to explicit submit a form to generate a key. At the most (Safari) you are explicitly prompted to choose a certificate before using that certificate to connect to a site. > As such, this will be my last reply on this thread, because it's clear we've gone so far away from the topic at hand that there really is no point continuing. In that case I expect you’ll be withdrawing your proposal and will be leaving keygen as it is? Regards, Graham —
Received on Wednesday, 16 September 2015 12:19:35 UTC