Re: removing keygen from HTML

On 30 May 2016, at 4:14 PM, Harry Halpin <> wrote:

> Some folks are using <keygen>, although I think everyone has been notified of the upcoming deprecation quite a while ago and so hopefully are preparing for a post-<keygen> world if they use client certs in the browser outside of TLS (such as for authentication). One deployment, MIT is working to moving to OpenID with Duo two-factor. 
> It has been requested not to remove it until the replacement is ready, and I think WebAuthn fulfils the requirements in a way that is coherent with the Web Security Model. 

I urge the working group to engage the crypto community and let the crypto community decide on what is or isn’t a replacement for keygen. No “proxy auth” based system like OpenID is able to replace the capabilities of client certificates.

> Here's the WebAuthn schedule - so thus, one-factor cryptographic authentication should be working across most browsers later in the year, as early as October. So far, the Working Group has been moving very fast. 

I would also urge the working group to treat any attempt at rushing this issue with a significant amount of skepticism.


Received on Monday, 30 May 2016 16:36:51 UTC