[whatwg] <keygen> and X509 client cert mime type

Ian Hickson ian at hixie.ch
Tue Apr 1 17:02:51 PDT 2014


On Tue, 25 Feb 2014, henry.story at bblfish.net wrote:
> 
> The keygen form element does a great job of specifying how the browser 
> creates a public/private key pair, stores the private key in it's local 
> keystore.
> 
> "When the control's form is submitted, the private key is stored in the 
> local keystore, and the public key is packaged and sent to the server."
> 
> It is clear that the intention is for the server to send back a 
> certificate built from the public key. What I can't find is what the 
> mime type of the returned certificate should be. I have been using 
> `application/x-x509-user-cert` which seems to work for Safari, Firefox, 
> Opera . But I think that is not an officially supported certificate 
> type. application/pkix-cert seems to be that after looking it up on 
> iana.
> 
> I ended up posting a bug report for Android on that.
>   http://code.google.com/p/android/issues/detail?id=66342
> 
> But now I have to check for each browser which is the type all browsers 
> support. To avoid people having to do this research again and again, 
> perhaps it would be worth specifying a mime type that all browsers 
> do/must support in the HTML5 spec?

On Wed, 26 Feb 2014, henry.story at bblfish.net wrote:
> 
>  (1) most browsers currently understand the mime types 
>      (a) application/x-x509-user-cert 
>      (b) application/x-x509-ca-cert 
>      (c) application/x-x509-email-cert
>    ( I have only verified (a) btw. I am assuming the others also support (b) and (c) )
>    as specified here
>    https://wiki.mozilla.org/CA:Certificate_Download_Specification
> 
>   (2) the above mime types are not registered
>      http://www.iana.org/assignments/media-types/media-types.xhtml
>
> So really either the old mime types should be registered, or they should 
> be mentioned as being in use but deprecated and people should be guided 
> towards the application/pkix-cert

I wouldn't worry too much about registered vs not registered. If the 
registry doesn't match the implementations, the registry is buggy.

On the other hand, I also don't want to get into the business of 
specifying this stuff myself.

I've added a link to the above MDN page to the keygen section. If there is 
ever something more canonical (and yet still useful and accurate), let me 
know and I'll update the spec.

Cheers,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list