Gervase Markham wrote: >On 07/04/09 15:38, Jean-Marc Desperrier wrote: >> No, the keygen tag is just too bad to be updated to something really >> useful.
>Then you need to persuade Hixie not to standardize it, otherwise people >will be using it for a long time :-) It doesn't really matter if <keygen> gets standardized or not, it will be obviated by other solutions anyway since it doesn't support even the most basic security features needed, like giving the issuer an indication whether the keys are stored in the file system, or are generated and stored in a secure container like a smart card. The technique for doing that (container attestations) has been known for a decade or more, and since trusted HW is already a part of high-end mobile devices, it seems pretty short-sighted not to make use it. Note: I don't think WHATWG should be blamed for this situation, it is rather the result of a collective non-action by the PKI community. BTW, <keygen> and its numerous cousins are actually MUCH more interesting for mobile devices than for PCs, since for the latter we already have physical token distribution (PIV/FIPS201), which I think is the main reason why the state of browser key-generation isn't exactly high on the agenda. One may argue that the SIM already does that but then you probably haven't tried it in practice :-) Everything bound to SIMs is either locked-down or costly, and often quite useless as well since SIMs typically have very limited capacity; even the phone book is on-line these days! Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
