Hi Enrico, On Sun, October 11, 2015 20:50, Enrico Zini wrote: > However, there is discussion in the Chrome[5] and Mozilla[6] communities > about deprecating client certificate authentication. In those threads, >
> I don't quite mind if <keygen> is removed, as long as there would be a > replacement that allows the existence and growth of an ecosystem with > shared identification, based on popular standards and easy to use and > deploy. Thanks for the heads-up. Debian is most certainly not the only one to use client certificates for (Single) Sign On so keeping client certificates usable is important. Reading the threads you link, however, those indeed seem to be centered around removal of the "<keygen>" tag, not deprecating the entire X.509 client certificate support of browsers. Basically, the point is that enrolment should be done differently. While we make use of that tag (e.g. in the TERENA Personal Certificate Service that some academics may know), the browser developers may have a point that there are other ways to implement the enrolment step. People can generate a certificate locally with openssl or other tools, through HTML5 or JS. The current <keygen> tag is convenient (as it requires 8 bytes to implement browser based certificate generation), but I'd have to investigate these other options to see whether they are viable. I can't conclude right now that they are unreasonable for suggesting that. Especially for tech-savvy use cases the in-browser generation should not be essential. So I'm not sure that Debian would have a strong point in this discussion. I'm emailing to check if indeed you're referring only to removal of the <keygen> tag, not the entire X.509 client certificate support from browsers. If the latter discussions are happening, I'd love a link to those. Cheers, Thijs
