W3C home > Mailing lists > Public > www-tag@w3.org > May 2016

Re: removing keygen from HTML

From: Graham Leggett <minfrin@sharp.fm>
Date: Mon, 30 May 2016 18:36:23 +0200
Cc: Chaals McCathie Nevile <chaals@yandex-team.ru>, "www-tag@w3.org" <www-tag@w3.org>
Message-Id: <3AC212E2-2A4F-41D4-8654-F7EE14262D6E@sharp.fm>
To: Harry Halpin <hhalpin@ibiblio.org>
On 30 May 2016, at 4:14 PM, Harry Halpin <hhalpin@ibiblio.org> wrote:

> Some folks are using <keygen>, although I think everyone has been notified of the upcoming deprecation quite a while ago and so hopefully are preparing for a post-<keygen> world if they use client certs in the browser outside of TLS (such as for authentication). One deployment, MIT is working to moving to OpenID with Duo two-factor. 
> 
> It has been requested not to remove it until the replacement is ready, and I think WebAuthn fulfils the requirements in a way that is coherent with the Web Security Model. 

I urge the working group to engage the crypto community and let the crypto community decide on what is or isn’t a replacement for keygen. No “proxy auth” based system like OpenID is able to replace the capabilities of client certificates.

> Here's the WebAuthn schedule - so thus, one-factor cryptographic authentication should be working across most browsers later in the year, as early as October. So far, the Working Group has been moving very fast. 

I would also urge the working group to treat any attempt at rushing this issue with a significant amount of skepticism.

Regards,
Graham
—
Received on Monday, 30 May 2016 16:36:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:14 UTC