- From: Graham Leggett <minfrin@sharp.fm>
- Date: Mon, 30 May 2016 18:36:23 +0200
- To: Harry Halpin <hhalpin@ibiblio.org>
- Cc: Chaals McCathie Nevile <chaals@yandex-team.ru>, "www-tag@w3.org" <www-tag@w3.org>
On 30 May 2016, at 4:14 PM, Harry Halpin <hhalpin@ibiblio.org> wrote: > Some folks are using <keygen>, although I think everyone has been notified of the upcoming deprecation quite a while ago and so hopefully are preparing for a post-<keygen> world if they use client certs in the browser outside of TLS (such as for authentication). One deployment, MIT is working to moving to OpenID with Duo two-factor. > > It has been requested not to remove it until the replacement is ready, and I think WebAuthn fulfils the requirements in a way that is coherent with the Web Security Model. I urge the working group to engage the crypto community and let the crypto community decide on what is or isn’t a replacement for keygen. No “proxy auth” based system like OpenID is able to replace the capabilities of client certificates. > Here's the WebAuthn schedule - so thus, one-factor cryptographic authentication should be working across most browsers later in the year, as early as October. So far, the Working Group has been moving very fast. I would also urge the working group to treat any attempt at rushing this issue with a significant amount of skepticism. Regards, Graham —
Received on Monday, 30 May 2016 16:36:51 UTC