- From: Henry Story <henry.story@bblfish.net>
- Date: Mon, 30 May 2016 15:41:33 +0200
- To: Chaals McCathie Nevile <chaals@yandex-team.ru>
- Cc: "www-tag@w3.org" <www-tag@w3.org>, public-html@w3.org
> On 30 May 2016, at 11:40, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote: > > Hi folks, > > there is an open issue [1] and open call for consensus [2] to remove keygen from HTML. Since the TAG, or its members, appear to have opinions about our spec, we'd be grateful to hear them. I note that the same mail to the public-html mailing list [2] has for deadline the 29 May and that this mail to the TAG was sent the day thereafter. So I hope this mail from Charles is meant as an indicator that the deadline for comments has been somewhat extended. It should be noted indeed that the TAG is actually discussing this issue which cuts across quite a number of areas in https://github.com/w3ctag/client-certificates Here are points against removing it at present: 1) There is no good replacement for keygen at the moment 2) The "security problem" with keygen with weaknesses of MD5 is actually not a deep problem for current usages of certificates. There are usages where it is important but that can be fixed by improving the hashing using this or another protocol. But then we are back at 1) above. 3) What is required is a way for a private key to be creaated and saved in the browser (or by an attached hardware device), be tied to a certificate or credential in whatever syntax is desired ( currently X509 is widely used ), that can then be used across origins when under the users control. This is what keygen does pretty well now. We are all looking forward to something better. See 1) above. Keygen is in fact incredibly useful as demonstrated by the WebID-TLS protocol https://www.w3.org/2005/Incubator/webid/spec/tls/ Keygen need not be tied to TLS, but could be used with more HTTP2/0 friendly protocols such as extensions to TLS client certificate authentication https://tools.ietf.org/html/draft-thomson-http2-client-certs-01 or perhaps simpler proposals such as http-signature https://tools.ietf.org/html/draft-cavage-http-signatures-05 that can work with the Web Crypto API. Again, before removing keygen a replacement should be found. Keygen has the advantage of reducing to the minimum the need for application developers to work with cryptography. Most of the work is moved to the TLS layer which is getting a huge amount of oversight, and in which progress is being made. The web never was perfect, and in the space of security perfection is not achievable. What is possible is improvements. And so those wishing to remove keygen should state what the problems are, and propose an improvement, not remove some key feature many depend on. Again please refer to: https://github.com/w3ctag/client-certificates Thanks, Henry Story PS. The Work on WebID is only an initial consensus we have been able to reach, a lot more is possible in that space... > > cheers > > Chaals > > [1] https://github.com/w3c/html/issues/43 > [2] http://www.w3.org/mid/op.yhs220oos7agh9@widsith.local > > -- > Charles McCathie Nevile - web standards - CTO Office, Yandex > chaals@yandex-team.ru - - - Find more at http://yandex.com >
Received on Monday, 30 May 2016 13:42:05 UTC