- From: Harry Halpin <hhalpin@ibiblio.org>
- Date: Wed, 8 Jun 2016 02:32:51 -1000
- To: Chaals McCathie Nevile <chaals@yandex-team.ru>
- Cc: Daniel Appelquist <dan@torgo.com>, Eric Mill <eric@konklone.com>, Graham Leggett <minfrin@sharp.fm>, Reto Gmür <reto@gmuer.ch>, Travis Leithead <Travis.Leithead@microsoft.com>, "www-tag@w3.org" <www-tag@w3.org>
- Message-ID: <CAE1ny+6oWUX3yED4t4A5Ye7P_MM3SCBJOfdGxvKhUha-taX6Ww@mail.gmail.com>
On Tue, May 31, 2016 at 6:31 AM, Chaals McCathie Nevile < chaals@yandex-team.ru> wrote: > On Tue, 31 May 2016 16:40:30 +0200, Harry Halpin <hhalpin@ibiblio.org> > wrote: > > On Tue, May 31, 2016 at 3:43 AM, Daniel Appelquist <dan@torgo.com> wrote: >> >> Hi Folks - the TAG (in the person of Travis) has written on this topic: >>> >>> https://w3ctag.github.io/client-certificates/#replacing-keygen >>> >>> As noted, it represents the rough consensus of the TAG on this issue. >>> >> > As I read that, in relation to the question facing the Web Platform group > for the HTML spec: > 1) It doesn't present any urgency to remove keygen, noting that there is > not a replacement available now. > The urgency is that <keygen> as it stands violates SOP and so user privacy (details here - https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/pX5NbX0Xack - although finger-printing avoidance is nearly impossible). However, given that TimBL and a few others on this list use <keygen> in their programming projects, it seems the polite thing to do is not to deprecate it until Web Authentication is ready by end of the year despite the security/privacy concerns. That should at least give TimBL and others time to update their code. > 2) I don't know how rough that consensus is. Multiplying rough consensus > by rough consensus can quickly get to "a minority opinion". > > One could argue to keep <keygen> enabled till when Web Authentication API >> is in browsers. >> > > Which would have a critical impact on our current question - should we > remove it *now*? > Given that Chrome has removed it and Mozilla has said they will remove it, it seems not to make much sense to keep it in the HTML spec. > > Also, as <keygen> is currently non-interoperable and specified in only one >> browser >> > > As far as I can see it works in Safari as well. Is my simplistic testing > giving a false positive, or does it work? > Safari in my experience tends to policy not to comment on future work. Feel free to ask them. However, one browser probably does not mean it should stay in the HTML spec, particularly after Mozilla drops it. You can ask Mozilla for their timeline. > > On Tue, 31 May 2016 at 13:33 Eric Mill <eric@konklone.com> wrote: >>> >>> The original email said: "Since the TAG, or its members, appear to have >>>> opinions about our spec, we'd be grateful to hear them." It'd be most >>>> productive for this thread's discussion to at least be initiated by a >>>> member of the TAG. >>>> >>> > To be fair, I understand the nature of this mailing list, and while I > addressed my comments prmiarily to the TAG I am grateful for others giving > input too. > Given that the TAG sometimes is not aware of all the work happening in W3C, it seemed to make sense to chime in with the Web Authentication timeline. > > cheers > > Chaals > > > -- > Charles McCathie Nevile - web standards - CTO Office, Yandex > chaals@yandex-team.ru - - - Find more at http://yandex.com >
Received on Wednesday, 8 June 2016 12:33:25 UTC