mjs at apple.com
Tue Jan 6 11:41:13 PST 2009
On Jan 6, 2009, at 4:40 AM, Ian Hickson wrote:
> Over the years, several people (most of them bcc'ed) have asked for
> to include a definition of <keygen>. Some have even gone as far as
> documentation on the element -- thank you.
> As I understand it based on the documentation, <keygen> basically
> generates a public/private asymmetric cryptographic key pair, and then
> sends the public component as its form value.
> Unfortunately, this seems completely and utterly useless, as at no
> does there seem to be any way to ever use the private component
> either for
> signing or for decrypting anything, nor does there appear to be a
> way to
> use the certificate for authentication.
> Without further information along these lines describing how to
> make practical use of the element, I do not intend to document
> <keygen> in
> the HTML5 specification. If anyone can fill in these holes that
> would be
> very helpful.
In the case of Safari, we store the generated private key in the
Keychain, and sites using <keygen> typically respond with a signed
certificate, which is downloaded and automatically added to the
Keychain. Depending on the valid purposes of the key, users can then
do the following automatically:
1) Browse to SSL sites that require client-side certificates for
authentication, in Safari.
2) Send email with strong authentication via a cryptographic
signature, in Mail.
3) Receive encrypted email from users who have received a copy of
their public key, in Mail.
I imagine other browsers store the private key and received signed
certificate in similar ways.
This is certainly a useful feature, and we added it at the request of
both end users and CAs.
More information about the whatwg