During the Netscape heydays <keygen> was probably pretty OK. However, that was a long time ago.
In fact, <keygen> only meets a single of the dozen+ imaginable features outlined here: http://webpki.org/papers/PKI/certenroll-features.pdf For the PC platform which seems to resist all modernization efforts in this space (probably due to the "Wintel" hegemony plus the inability of the smart card community creating anything "Internetish"), there's little point in upgrading stuff; this request is dedicated to the always connected, mobile devices which primarily rely on embedded platform capabilities. Although swapping <keygen> for something else has indeed been proposed. IMO, that wouldn't help much because the underpinnings like NSS is also in need of renovation. The somewhat bigger question is thus whether NSS should be upgraded or of it (as I propose) should be "complemented" with *another* API for provisioning. The primary reason why I think the latter is a better idea is that credential provisioning security-wise should operate "one level down" in the stack compared to credential usage. Proof: The Google Wallet doesn't utilize on NSS/<keygen>-like technology for provisioning, it rather builds on (according to unverified sources...) GlobalPlatform's SCPnn. Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
