Re: removing keygen from HTML

> On 30 May 2016, at 11:40, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote:
> 
> Hi folks,
> 
> there is an open issue [1] and open call for consensus [2] to remove keygen from HTML. Since the TAG, or its members, appear to have opinions about our spec, we'd be grateful to hear them.

I note that the same mail to the public-html mailing list [2] has for
deadline the 29 May and that this mail to the TAG was sent the day thereafter.
So I hope this mail from Charles is meant as an indicator that the deadline
for comments has been somewhat extended.

It should be noted indeed that the TAG is actually discussing
this issue which cuts across quite a number of areas in

 https://github.com/w3ctag/client-certificates

Here are points against removing it at present:

1) There is no good replacement for keygen at the moment
2) The "security problem" with keygen with weaknesses of MD5 is actually 
  not a deep problem for current usages of certificates. There are usages 
  where it is important but that can be fixed by improving the hashing using 
  this or another protocol. But then we are back at 1) above.
3) What is required is a way for a private key to be creaated and saved in the 
  browser (or by an attached hardware device), be tied to a certificate or 
  credential in whatever syntax is desired ( currently X509 is widely used ), 
  that can then be used across  origins when under the users control. This is 
  what keygen does pretty well now. We are all looking forward to something 
  better. See 1) above.

Keygen is in fact incredibly useful as demonstrated by the WebID-TLS protocol
   https://www.w3.org/2005/Incubator/webid/spec/tls/

Keygen need not be tied to TLS, but could be used with more HTTP2/0 friendly protocols
such as extensions to TLS client certificate authentication 

   https://tools.ietf.org/html/draft-thomson-http2-client-certs-01

or perhaps simpler proposals such as http-signature
 
  https://tools.ietf.org/html/draft-cavage-http-signatures-05

that can work with the Web Crypto API.

Again, before removing keygen a replacement should be found. Keygen has
the advantage of reducing to the minimum the need for application developers
to work with cryptography. Most of the work is moved to the TLS layer which is
getting a huge amount of oversight, and in which progress is being made.


The web never was perfect, and in the space of security perfection is not
achievable. What is possible is improvements. And so those wishing to remove
keygen should state what the problems are, and propose an improvement, not
remove some key feature many depend on.

Again please refer to:

 https://github.com/w3ctag/client-certificates

Thanks,

	Henry Story

PS. The Work on WebID is only an initial consensus we have been able
to reach, a lot more is possible in that space...

> 
> cheers
> 
> Chaals
> 
> [1] https://github.com/w3c/html/issues/43
> [2] http://www.w3.org/mid/op.yhs220oos7agh9@widsith.local
> 
> -- 
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com
> 

Received on Monday, 30 May 2016 13:42:05 UTC