[whatwg] <keygen> tag
Bruno.Harbulot at manchester.ac.uk
Fri Jan 15 08:59:01 PST 2010
Apologies for the late participation on this topic. I've been working on
FOAF+SSL with Henry Story (who advocated a few months ago the
introduction of <keygen> in HTML 5 for this purpose).
I've only just found the time to investigate the certificate generation
issue on Windows/Internet Explorer (using ActiveX, XEnroll and
CertEnroll). I've updated this wiki page accordingly:
Whilst I'm very supportive of having a key-generation mechanism in the
browser, I'm now not entirely sure the <keygen> tag, at least as a
legacy of the Netscape <keygen> tag, is the correct approach.
1. The more modern APIs (generateCRMFRequest  on Firefox or
CertEnroll/XEnroll on Internet Explorer ) appear to offer more
options in general, for example, where to store the private key, is it
exportable, etc. (I haven't looked in details, but I suspect it could be
envisaged to use some existing key material from a software store or
smartcard too, for example.)
This raises the question as to whether a tag is sufficient or
appropriate to express what's required for a CA, or if an API (and more
programming) is required.
2. The SPKAC format seems to be a legacy format. It doesn't really allow
to convey much information that CAs would expect, unlike other formats
used by the more modern APIs . Perhaps it would be better to use
one of the newer formats instead. This might break the compatibility
with the pre-HTML 5 use of <keygen> (maybe another name than <keygen> in
HTML5 would be better?).
Of course, the other big question is whether it's worth trying to
standardise this <keygen> tag if there's no intent of support from major
browser vendors (I have IE in mind here).
More information about the whatwg