W3C home > Mailing lists > Public > www-tag@w3.org > June 2016

Re: removing keygen from HTML

From: Nathan Rixham <nathan@webr3.org>
Date: Wed, 1 Jun 2016 10:30:39 +0100
Message-ID: <CANiy74ybuk8+zVYJGxd-XPaxbJN-H46m3OTJ_de3fvY7BYxwmQ@mail.gmail.com>
To: Chaals McCathie Nevile <chaals@yandex-team.ru>
Cc: "www-tag@w3.org" <www-tag@w3.org>
How to do auth on web?

Honest and serious question.

WWW-Authenticate and Authorization provide basic (lol) and digest (mitm),
so can't use them.

Alternative? Public key authentication (usually implemented with a HTTPS /
SSL client certificate)  ... sounds good.

How to request, provide, or manage/select a client certificate with
browser? nothing specified or implemented, maybe use keygen to request?
(deprecated in live browsers), maybe provide a certificate with
application/x-x509-user-cert (deprecated in live browsers), manage/select?
(nothing specified)

keygen is specified and was implemented terribly, but where's the

How to do auth on web? A question I certainly can't answer, can anybody

On Mon, May 30, 2016 at 10:40 AM, Chaals McCathie Nevile <
chaals@yandex-team.ru> wrote:

> Hi folks,
> there is an open issue [1] and open call for consensus [2] to remove
> keygen from HTML. Since the TAG, or its members, appear to have opinions
> about our spec, we'd be grateful to hear them.
> cheers
> Chaals
> [1] https://github.com/w3c/html/issues/43
> [2] http://www.w3.org/mid/op.yhs220oos7agh9@widsith.local
> --
> Charles McCathie Nevile - web standards - CTO Office, Yandex
>  chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Wednesday, 1 June 2016 09:31:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:14 UTC