Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
[1] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[2] https://wiki.mozilla.org/CA:Certificate_Download_Specification
Motivation
History: <keygen> was an early development by Mozilla to explore certificate provisioning. Originally Firefox exclusive, it was adopted by several mobile platforms (notably, Nokia and Blackberry), along with support for the certificate installation mime-types. During the First Browser Wars, Microsoft provided an alternative, via ActiveX, called CertEnroll/XEnroll. When iOS appeared on the scene, <keygen> got a boost, as being the initial way to do certificate provisioning, and along with it brought support into Safari. It was then retro-spec'd into the HTML spec.
Issues: There are a number of issues with <keygen> today that make it a very incompatible part of the Web Platform.
1) Microsoft IE (and now Edge) have never supported the <keygen> tag, so its cross-browser applicability is suspect. [3] Microsoft has made it clear, in no uncertain terms, they don't desire to support Keygen [4][5]
2) <keygen> is unique in HTML (Javascript or otherwise) in that by design, it offers a way to persistently modify the users' operating system, by virtue of inserting keys into the keystore that affect all other applications (Safari, Chrome, Firefox when using a smart card) or all other origins (Firefox, iOS, both which use a per-application keystore)
3) <keygen> itself is not implemented consistently across platforms, nor spec'd consistently. For example, Firefox ships with a number of extensions not implemented by any other browser (compare [6] to [7])
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
5) <keygen> just generates keys, and relies on application/x-x509-*-cert to install certificates. This MIME handling, unspecified but implemented by major browsers, represents yet-another-way for a website to make persistent modifications to the user system.
6) Mozilla (then Netscape) quickly realized that <keygen> was inadequate back in the early 2000s, and replaced it with window.crypto.generateCRMFRequest [8], to compete with the CertEnroll/XEnroll flexibility, but recently removed support due to being Firefox only. This highlights that even at the time of introduction, <keygen> was inadequate for purpose.
[3] https://connect.microsoft.com/IE/feedback/details/793734/ie11-feature-request-support-for-keygen
[4] https://lists.w3.org/Archives/Public/public-html/2009Sep/0153.html
[5] https://blog.whatwg.org/this-week-in-html5-episode-35
[6] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
[7] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[8] https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto/generateCRMFRequest
Compatibility Risk
While there is no doubt that <keygen> remains used in the wild, both the use counters [9] and Google's own crawler indicate that it's use is extremely minimal. Given that Mozilla implements a version different than the HTML spec, and given that Microsoft has made it clear they have no desire to implement, the compatibility risk is believed to be low in practice.
Mozilla is also exploring whether or not to remove support for the application/x-x509-*-cert types [10], but has not yet (to my knowledge) discussed <keygen> support - either aligning with the (much more limited) spec, extending the spec with the Mozilla-specific extensions, or removing support entirely.
On the application/x-x509-*-cert support, there is a wide gap of interoperability. Chrome does not support multiple certificates, but Firefox does. Firefox will further reorder certificates that are inconsistent with what was specified, offering a non-standard behaviour. Chrome does not support application/x-x509-ca-cert on Desktop, and on Android, defers to the platform capabilities, which further diverge from Firefox. Both browsers have the underspecified behaviour of requiring the user having a matching key a-priori, except that's not detailed as to how it works. Firefox also handles various mis-encodings (improper DER, DER when it should be base64), which Chrome later implemented, but is not well specified.
[9] https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
[10] https://bugzilla.mozilla.org/show_bug.cgi?id=1024871
Alternative implementation suggestion for web developers
The primary use cases for <keygen>, from our investigations, appear to be tied to one of two use cases:
- Enterprise device management, for which on-device management capabilities (Group Policies, MDM profiles, etc) represent a far more appropriate path. That is, you would not expect a web page to be able to configure a VPN or a users proxy, so too should you not expect a webpage to configure a user's system key store.
- CA certificate enrollment, for which a variety of alternatives exist (e.g. integrated to the web server, CA specific-tools such as SSLMate or protocols such as Let's Encrypt, etc). Here again, it does not seem reasonable to expect your web browser to configure your native e-mail client (such as for S/MIME)
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
On some level, this removal will remove support for arbitrarily adding keys to the users' device-wide store, which is an intentional, by-design behaviour.
While a use case exists for provisioning TLS client certificates for authentication, such a use case is inherently user-hostile for usability, and represents an authentication scheme that does not work well for the web. An alternative means for addressing this use case is to employ the work of the FIDO Alliance [12], which has strong positive signals from Microsoft and Google (both in the WG), is already supported via extensions in Chrome [13], with Mozilla evaluating support via similar means [14]. This offers a more meaningful way to offer strong, non-phishable authentication, in a manner that is more privacy preserving, offers a better user experience, better standards support, and more robust security capabilities.
[11] https://developer.chrome.com/extensions/enterprise_platformKeys
[12] https://fidoalliance.org/
[14] https://bugzilla.mozilla.org/show_bug.cgi?id=1065729
Usage information from UseCounter
https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
Based on data seen from Google crawler (unfortunately, not public), the number of sites believed to be affected is comically low.
OWP launch tracking bug
https://code.google.com/p/chromium/issues/detail?id=514767
Entry on the feature dashboard
https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
Requesting approval to remove too?
No
Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
[1] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[2] https://wiki.mozilla.org/CA:Certificate_Download_Specification
Motivation
History: <keygen> was an early development by Mozilla to explore certificate provisioning. Originally Firefox exclusive, it was adopted by several mobile platforms (notably, Nokia and Blackberry), along with support for the certificate installation mime-types. During the First Browser Wars, Microsoft provided an alternative, via ActiveX, called CertEnroll/XEnroll. When iOS appeared on the scene, <keygen> got a boost, as being the initial way to do certificate provisioning, and along with it brought support into Safari. It was then retro-spec'd into the HTML spec.
Issues: There are a number of issues with <keygen> today that make it a very incompatible part of the Web Platform.
1) Microsoft IE (and now Edge) have never supported the <keygen> tag, so its cross-browser applicability is suspect. [3] Microsoft has made it clear, in no uncertain terms, they don't desire to support Keygen [4][5]
2) <keygen> is unique in HTML (Javascript or otherwise) in that by design, it offers a way to persistently modify the users' operating system, by virtue of inserting keys into the keystore that affect all other applications (Safari, Chrome, Firefox when using a smart card) or all other origins (Firefox, iOS, both which use a per-application keystore)
3) <keygen> itself is not implemented consistently across platforms, nor spec'd consistently. For example, Firefox ships with a number of extensions not implemented by any other browser (compare [6] to [7])
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
5) <keygen> just generates keys, and relies on application/x-x509-*-cert to install certificates. This MIME handling, unspecified but implemented by major browsers, represents yet-another-way for a website to make persistent modifications to the user system.
6) Mozilla (then Netscape) quickly realized that <keygen> was inadequate back in the early 2000s, and replaced it with window.crypto.generateCRMFRequest [8], to compete with the CertEnroll/XEnroll flexibility, but recently removed support due to being Firefox only. This highlights that even at the time of introduction, <keygen> was inadequate for purpose.
[3] https://connect.microsoft.com/IE/feedback/details/793734/ie11-feature-request-support-for-keygen
[4] https://lists.w3.org/Archives/Public/public-html/2009Sep/0153.html
[5] https://blog.whatwg.org/this-week-in-html5-episode-35
[6] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
[7] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[8] https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto/generateCRMFRequest
Compatibility Risk
While there is no doubt that <keygen> remains used in the wild, both the use counters [9] and Google's own crawler indicate that it's use is extremely minimal.
Given that Mozilla implements a version different than the HTML spec, and given that Microsoft has made it clear they have no desire to implement, the compatibility risk is believed to be low in practice.
Mozilla is also exploring whether or not to remove support for the application/x-x509-*-cert types [10], but has not yet (to my knowledge) discussed <keygen> support - either aligning with the (much more limited) spec, extending the spec with the Mozilla-specific extensions, or removing support entirely.
On the application/x-x509-*-cert support, there is a wide gap of interoperability. Chrome does not support multiple certificates, but Firefox does. Firefox will further reorder certificates that are inconsistent with what was specified, offering a non-standard behaviour. Chrome does not support application/x-x509-ca-cert on Desktop, and on Android, defers to the platform capabilities, which further diverge from Firefox. Both browsers have the underspecified behaviour of requiring the user having a matching key a-priori, except that's not detailed as to how it works. Firefox also handles various mis-encodings (improper DER, DER when it should be base64), which Chrome later implemented, but is not well specified.
[9] https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
[10] https://bugzilla.mozilla.org/show_bug.cgi?id=1024871
Alternative implementation suggestion for web developers
The primary use cases for <keygen>, from our investigations, appear to be tied to one of two use cases:
- Enterprise device management, for which on-device management capabilities (Group Policies, MDM profiles, etc) represent a far more appropriate path. That is, you would not expect a web page to be able to configure a VPN or a users proxy, so too should you not expect a webpage to configure a user's system key store.
- CA certificate enrollment, for which a variety of alternatives exist (e.g. integrated to the web server, CA specific-tools such as SSLMate or protocols such as Let's Encrypt, etc). Here again, it does not seem reasonable to expect your web browser to configure your native e-mail client (such as for S/MIME)
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
- CA certificate enrollment, for which a variety of alternatives exist (e.g. integrated to the web server, CA specific-tools such as SSLMate or protocols such as Let's Encrypt, etc). Here again, it does not seem reasonable to expect your web browser to configure your native e-mail client (such as for S/MIME)
This argument seems week. We absolutely allow browsers to do things like register for protocol handlers.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
On Jul 29, 2015 3:42 AM, <kai.e...@gmail.com> wrote:
>
> Does WebCrypto offer any way to guarantee that the client side private key will never leave the client computer?
>
extractable=false, but I doubt that is the level you're trying to get.
It only guarantees that the browser won't export it - naturally, the browser can't make any guarantees about other software on the machine, and it is intentional and by-design that WebCrypto does not expose any smart card access whatsoever (to do so is fundamentally insecure, and long-term privacy hostile)
On Jul 30, 2015 8:43 AM, "David Benjamin" <davi...@chromium.org> wrote:
>
>
> Does our implementation of <keygen> give you smartcard access anyway?
No
> In theory one could render <keygen> as a more complex widget that selects what token/whatever to put the key on, but I don't think we do more than the dropdown. I would think it just uses the default software key store everywhere.
Correct.
On Jul 30, 2015 7:42 AM, <melvinc...@gmail.com> wrote:
>
>
> -1 KEYGEN is in use.
>
> This move will be severely detrimental several grass roots communities, such as the WebID community.
>
> [1] https://www.w3.org/community/webid/participants
>
This comment doesn't really address any of the technical concerns raised. WebID has repeatedly demonstrated a willingness to appropriate ill-suited technology, and has readily acknowledged that no browser implements the desired functionality for WebID to be successful.
WebID is still nascent, and readily admits it won't work with Edge. An alternative would be for WebID to proceed with standards that are actually widely used and have a viable chance at being usable - such as WebCrypto.
But it seems odd to hold a feature that was never fit to purpose nor working as desired hostage for experimental activity in a CG.
On Jul 31, 2015 1:44 AM, <henry...@gmail.com> wrote:
>
> As I understand WebCrypto ( the JS libraries ) do not allow the chrome to ask the user to select the keys. This is probably due to the fact that JS is too powerful a language to be able to correctly constrain what is done, breaking the rule of least power [1]. Currently TLS client certificate selection is the only way to allow the user to select a key and use it.
No, this is not correct. You can create keys for your origin, store them, and have full control over the UI.
What you don't get is to use those keys for TLS client auth, and that's a good thing, because TLS client auth simply doesn't work for the web at scale.
> As I understand web crypto requires the private keys generated to be downloaded into the local storage of the browser. Due to entirely reasonable security restrictions of the browser the private key can from that storage only be used for that one origin ( which means that it can still be misused by any JS that is downloaded to a web site! ) That restriction removes many of the uses of public key cryptography that would allow one to strengthen the security of the web. Furthermore storing private keys in local storage seems a lot less secure than storing it encrypted in a keychain that is either tied to the browser like Netscape or tied the OS.
<keygen> is never speced to behave as you describe. That it does is simply a matter of emulating Netscape's original behaviour, but as noted earlier, even those that emulate the behaviour do so inconsistently.
For example, using <keygen> on iOS in a webview doesn't affect the Safari keychain - as apps can't write into that.
>
> So I don't see that WebCrypto has proved itself yet as a substitute for client side certificates.
Correct, because it intentionally is not trying to offer a 1:1 emulation of client certificates, because they're a horrible and broken technology for the web at large (e.g. outside niche enterprise use cases). This is a fundamental flaw that WebID has been struggling with, without solution or adoption, for over for years.
However, alternatives exist - both via WebCrypto (as clearly demonstrated by Mozilla's past efforts through Persona) and via FIDO (as clearly demonstrated by Google, Microsoft, and others) - that offer more meaningful, usable, robust alternatives.
> As for wether WebID can work with Edge ( Microsoft Edge? ) or not I don't think we have yet looked at it. Why would it not work there?
Please read my original message, detailing the varying incompatibilities with <keygen>.
None of these are new to the WebID folks - nor has there been any traction whatsoever on the pet features the WebID CG have deemed essential to WebID (such as TLS logout). The hope is that WebID will, after the considerable time spent as a CG, realize there are alternative technical solutions that offer the same fundamental properties in more usable, more widely supported ways, without relying on the esoteric incompatible behaviours of browsers (as it does today, for example, TLS logout).
On Jul 31, 2015 1:44 AM, <henry...@gmail.com> wrote:
>
> As I understand WebCrypto ( the JS libraries ) do not allow the chrome to ask the user to select the keys. This is probably due to the fact that JS is too powerful a language to be able to correctly constrain what is done, breaking the rule of least power [1]. Currently TLS client certificate selection is the only way to allow the user to select a key and use it.No, this is not correct. You can create keys for your origin, store them, and have full control over the UI.
What you don't get is to use those keys for TLS client auth, and that's a good thing, because TLS client auth simply doesn't work for the web at scale.
> As I understand web crypto requires the private keys generated to be downloaded into the local storage of the browser. Due to entirely reasonable security restrictions of the browser the private key can from that storage only be used for that one origin ( which means that it can still be misused by any JS that is downloaded to a web site! ) That restriction removes many of the uses of public key cryptography that would allow one to strengthen the security of the web. Furthermore storing private keys in local storage seems a lot less secure than storing it encrypted in a keychain that is either tied to the browser like Netscape or tied the OS.
<keygen> is never speced to behave as you describe. That it does is simply a matter of emulating Netscape's original behaviour, but as noted earlier, even those that emulate the behaviour do so inconsistently.
For example, using <keygen> on iOS in a webview doesn't affect the Safari keychain - as apps can't write into that.
>
> So I don't see that WebCrypto has proved itself yet as a substitute for client side certificates.Correct, because it intentionally is not trying to offer a 1:1 emulation of client certificates, because they're a horrible and broken technology for the web at large (e.g. outside niche enterprise use cases). This is a fundamental flaw that WebID has been struggling with, without solution or adoption, for over for years.
However, alternatives exist - both via WebCrypto (as clearly demonstrated by Mozilla's past efforts through Persona) and via FIDO (as clearly demonstrated by Google, Microsoft, and others) - that offer more meaningful, usable, robust alternatives.
> As for wether WebID can work with Edge ( Microsoft Edge? ) or not I don't think we have yet looked at it. Why would it not work there?
Please read my original message, detailing the varying incompatibilities with <keygen>.
None of these are new to the WebID folks - nor has there been any traction whatsoever on the pet features the WebID CG have deemed essential to WebID (such as TLS logout). The hope is that WebID will, after the considerable time spent as a CG, realize there are alternative technical solutions that offer the same fundamental properties in more usable, more widely supported ways, without relying on the esoteric incompatible behaviours of browsers (as it does today, for example, TLS logout).
On Jul 31, 2015 3:23 AM, <henry...@gmail.com> wrote:
>
> It does if you use it the way the WebID-TLS spec specifies it:
> http://www.w3.org/2005/Incubator/webid/spec/
>
I think we will just have to agree to disagree here. As it relates to UX, as it relates to interactions with users' antivirus, as it relates to other devices and form factors, WebID-TLS is irreparably flawed. WebID-TLS advocates - such as yourself - should find this as no surprise. You (the CG) have lamented about 'bugs' (things working as designed) that hold it back.
As it relates to the browser, WebID-TLS merely appropriates the nearest technology, poorly, and with a number of problems. But finding a way to solve WebID-TLS isn't entirely germane to this discussion, and I've offered copious constructive feedback over the years of these efforts to try to assist you. Unfortunately, I think it's best to simply note that you disagree, but given that viable technical alternatives exist, that disagreement is by no means reason to keep a non-interoperable, problematic, insecure-by-design API around.
> So you admit that you want to remove a feature that cannot be emulated by other technologies. Why not instead first try to see if your favorite technology meets the use case that WebID tries to address, and then when it does a case can be made for deprecating other technologies. For the moment your attempt is too hasty.
I have provided you constructive feedback for over four years on advising you about the inherent flaws of the design. It is neither reasonable nor polite to suggest that I spend another year, or more, offering much of the same feedback, which will simply be ignored not because it is insufficient for your needs, but because you're change averse.
> You did not answer my concerns about JS crypto:
> * requires private keys to be served on the users local storage in a non secure manner
No different than <keygen>
> * is open to be read by any JS from the same origin, which is extreemly difficult to control, and as a result creates very difficult to enforce limitations of JS on web servers
If you can't control same-origin scripts, you have lost the game. Security game over.
> * is thefore open to fishing attacks
This isn't how phishing works. The same-origin policy gives you greater protection, not less.
> * suffers from all of the JS security issues
> For example logout could easily be solved by browsers by making that capability visible in the chrome. Proposals for that have been made: it's just requires some UI innovtaion. This issue will pop up any other way you try to do things, which is why the Web Crypto folks still cannot do the right thing.
>
I spent several years detailing to you in excruciating detail why this is technically flawed and fundamentally incompatible with how the web, TLS, and servers work. I seriously doubt you will take heed this time, but there is no doubt I've made extensive good faith effort at providing actionable technical solutions.
I hope you can understand my frustration that, despite years of providing technical feedback, WebID continues to insist on a broken model.
I can appreciate deprecating <keygen> will break the academic, experimental concept that is WebID. However, suitable technical alternatives do exist, if the WebID CG were to invest in the technical work, so this really falls on WebID. It's also clear that 'no' (for some value of 'no' that is nearly non-existent) users are actually using WebID, which again is consistent with the four+ years of the CG trying to promote WebID-TLS, so even the impact of WebID needing to readjust the design is exceedingly minimal.
My hope is that you'll take the time to evaluate the many messages I've sent in the past on this, as well as the ample feedback to the non-bugs, as I doubt there is anything more I can offer you in conversation on this thread beyond what has been said. When I wrote this message, I was and am very familiar with the WebID work, on a deep technical level, and I still stand by every bit that I said in the original message arguing for the deprecation in spite of this.
On Jul 31, 2015 3:23 AM, <henry...@gmail.com> wrote:
>
> It does if you use it the way the WebID-TLS spec specifies it:
> http://www.w3.org/2005/Incubator/webid/spec/
>I think we will just have to agree to disagree here. As it relates to UX, as it relates to interactions with users' antivirus, as it relates to other devices and form factors, WebID-TLS is irreparably flawed. WebID-TLS advocates - such as yourself - should find this as no surprise. You (the CG) have lamented about 'bugs' (things working as designed) that hold it back.
As it relates to the browser, WebID-TLS merely appropriates the nearest technology, poorly, and with a number of problems. But finding a way to solve WebID-TLS isn't entirely germane to this discussion, and I've offered copious constructive feedback over the years of these efforts to try to assist you. Unfortunately, I think it's best to simply note that you disagree, but given that viable technical alternatives exist, that disagreement is by no means reason to keep a non-interoperable, problematic, insecure-by-design API around.
> So you admit that you want to remove a feature that cannot be emulated by other technologies. Why not instead first try to see if your favorite technology meets the use case that WebID tries to address, and then when it does a case can be made for deprecating other technologies. For the moment your attempt is too hasty.
I have provided you constructive feedback for over four years on advising you about the inherent flaws of the design. It is neither reasonable nor polite to suggest that I spend another year, or more, offering much of the same feedback, which will simply be ignored not because it is insufficient for your needs, but because you're change averse.
> You did not answer my concerns about JS crypto:
> * requires private keys to be served on the users local storage in a non secure mannerNo different than <keygen>
> * is open to be read by any JS from the same origin, which is extreemly difficult to control, and as a result creates very difficult to enforce limitations of JS on web servers
If you can't control same-origin scripts, you have lost the game. Security game over.
> * is thefore open to fishing attacks
This isn't how phishing works. The same-origin policy gives you greater protection, not less.
> * suffers from all of the JS security issues
> For example logout could easily be solved by browsers by making that capability visible in the chrome. Proposals for that have been made: it's just requires some UI innovtaion. This issue will pop up any other way you try to do things, which is why the Web Crypto folks still cannot do the right thing.
>I spent several years detailing to you in excruciating detail why this is technically flawed and fundamentally incompatible with how the web, TLS, and servers work. I seriously doubt you will take heed this time, but there is no doubt I've made extensive good faith effort at providing actionable technical solutions.
On Friday, 31 July 2015 11:33:21 UTC+2, Ryan Sleevi wrote:
On Jul 31, 2015 1:44 AM, <henry...@gmail.com> wrote:
>
> As I understand WebCrypto ( the JS libraries ) do not allow the chrome to ask the user to select the keys. This is probably due to the fact that JS is too powerful a language to be able to correctly constrain what is done, breaking the rule of least power [1]. Currently TLS client certificate selection is the only way to allow the user to select a key and use it.No, this is not correct. You can create keys for your origin, store them, and have full control over the UI.
What you don't get is to use those keys for TLS client auth, and that's a good thing, because TLS client auth simply doesn't work for the web at scale.
It does if you use it the way the WebID-TLS spec specifies it:This allows you to use one certificate to authenticate to all servers. WebCrypto as you admit does not do that.
Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
[1] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[2] https://wiki.mozilla.org/CA:Certificate_Download_Specification
Motivation
History: <keygen> was an early development by Mozilla to explore certificate provisioning. Originally Firefox exclusive, it was adopted by several mobile platforms (notably, Nokia and Blackberry), along with support for the certificate installation mime-types. During the First Browser Wars, Microsoft provided an alternative, via ActiveX, called CertEnroll/XEnroll. When iOS appeared on the scene, <keygen> got a boost, as being the initial way to do certificate provisioning, and along with it brought support into Safari. It was then retro-spec'd into the HTML spec.
Issues: There are a number of issues with <keygen> today that make it a very incompatible part of the Web Platform.
1) Microsoft IE (and now Edge) have never supported the <keygen> tag, so its cross-browser applicability is suspect. [3] Microsoft has made it clear, in no uncertain terms, they don't desire to support Keygen [4][5]
2) <keygen> is unique in HTML (Javascript or otherwise) in that by design, it offers a way to persistently modify the users' operating system, by virtue of inserting keys into the keystore that affect all other applications (Safari, Chrome, Firefox when using a smart card) or all other origins (Firefox, iOS, both which use a per-application keystore)
3) <keygen> itself is not implemented consistently across platforms, nor spec'd consistently. For example, Firefox ships with a number of extensions not implemented by any other browser (compare [6] to [7])
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
5) <keygen> just generates keys, and relies on application/x-x509-*-cert to install certificates. This MIME handling, unspecified but implemented by major browsers, represents yet-another-way for a website to make persistent modifications to the user system.
6) Mozilla (then Netscape) quickly realized that <keygen> was inadequate back in the early 2000s, and replaced it with window.crypto.generateCRMFRequest [8], to compete with the CertEnroll/XEnroll flexibility, but recently removed support due to being Firefox only. This highlights that even at the time of introduction, <keygen> was inadequate for purpose.
[3] https://connect.microsoft.com/IE/feedback/details/793734/ie11-feature-request-support-for-keygen
[4] https://lists.w3.org/Archives/Public/public-html/2009Sep/0153.html
[5] https://blog.whatwg.org/this-week-in-html5-episode-35
[6] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
[7] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[8] https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto/generateCRMFRequest
Compatibility Risk
While there is no doubt that <keygen> remains used in the wild, both the use counters [9] and Google's own crawler indicate that it's use is extremely minimal. Given that Mozilla implements a version different than the HTML spec, and given that Microsoft has made it clear they have no desire to implement, the compatibility risk is believed to be low in practice.
Mozilla is also exploring whether or not to remove support for the application/x-x509-*-cert types [10], but has not yet (to my knowledge) discussed <keygen> support - either aligning with the (much more limited) spec, extending the spec with the Mozilla-specific extensions, or removing support entirely.
On the application/x-x509-*-cert support, there is a wide gap of interoperability. Chrome does not support multiple certificates, but Firefox does. Firefox will further reorder certificates that are inconsistent with what was specified, offering a non-standard behaviour. Chrome does not support application/x-x509-ca-cert on Desktop, and on Android, defers to the platform capabilities, which further diverge from Firefox. Both browsers have the underspecified behaviour of requiring the user having a matching key a-priori, except that's not detailed as to how it works. Firefox also handles various mis-encodings (improper DER, DER when it should be base64), which Chrome later implemented, but is not well specified.
[9] https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
[10] https://bugzilla.mozilla.org/show_bug.cgi?id=1024871
Alternative implementation suggestion for web developers
The primary use cases for <keygen>, from our investigations, appear to be tied to one of two use cases:
- Enterprise device management, for which on-device management capabilities (Group Policies, MDM profiles, etc) represent a far more appropriate path. That is, you would not expect a web page to be able to configure a VPN or a users proxy, so too should you not expect a webpage to configure a user's system key store.
- CA certificate enrollment, for which a variety of alternatives exist (e.g. integrated to the web server, CA specific-tools such as SSLMate or protocols such as Let's Encrypt, etc). Here again, it does not seem reasonable to expect your web browser to configure your native e-mail client (such as for S/MIME)
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
On some level, this removal will remove support for arbitrarily adding keys to the users' device-wide store, which is an intentional, by-design behavior.
While a use case exists for provisioning TLS client certificates for authentication, such a use case is inherently user-hostile for usability,
and represents an authentication scheme that does not work well for the web.
An alternative means for addressing this use case is to employ the work of the FIDO Alliance [12], which has strong positive signals from Microsoft and Google (both in the WG), is already supported via extensions in Chrome [13], with Mozilla evaluating support via similar means [14]. This offers a more meaningful way to offer strong, non-phishable authentication, in a manner that is more privacy preserving, offers a better user experience, better standards support, and more robust security capabilities.
Alternative implementation suggestion for web developers
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
If you want to criticize webid, then you have to say what they should do to get the same effect under the same constraints.
Supporting that process on all platforms would be a major a major pain. (It becomes temping on the open platforms to just give the users an app to fix the whole thing, do certificate management, properly).
You suggest that the things that webid developers have described as 'bugs' you feel is 'working as intended'.... hmmm.
On Fri, Jul 31, 2015 at 2:16 PM, <01234567...@gmail.com> wrote:If you want to criticize webid, then you have to say what they should do to get the same effect under the same constraints.Not when the desired effect is unreasonable. The point is to show comparable solutions exist, with reasonable tradeoffs. There's not an incumbent demand to show there's a 100% functionally equivalent solution, because the functionality itself is problematic and flawed by design.
Supporting that process on all platforms would be a major a major pain. (It becomes temping on the open platforms to just give the users an app to fix the whole thing, do certificate management, properly).This is exactly what I said in the original message, and which you acknowledge has a very important adjective there - "properly".Systems management is not the realm of the browser. You should not have functionality that, say, allows arbitrary websites to configure your Wifi. I say this knowing full well that there are a tremendous number of interesting and exciting things you could do if such a functionality existed. Similarly, your browser should not be the vector for VPN management, despite their being exciting and compelling things you could do.Certificate and key management - which is system wide, affects all other applications and origins - is itself a fundamentally flawed premise for a browser to be involved in, nor is it required for any 'spec-following' <keygen> implementation. As the original message laid out, there's no way such a feature would have a reasonable chance of succeeding. The very premise of WebID rests on the ability to create a cross-origin super-cookie (the client cert), and the bugs filed make it clear there's a desire to reduce or eliminate the user interaction in doing so.
You suggest that the things that webid developers have described as 'bugs' you feel is 'working as intended'.... hmmm.Yes. They are. I've explained at great length to your fellow WebID CG members, during discussions in the WebCrypto WG, on the Chromium tracker, in private emails, and at W3C TPACs and F2Fs, how several of the fundamental requirements of WebID are, at a protocol level, incompatible with how the Web works.
Regardless of your feelings towards WebID, which I fully acknowledge that after several years of effort, I'm unlikely to dissuade any members of the technical folly, let's go back to first principles.Should an arbitrary website be able to make persistent modification to your device, that affects all applications, without user interaction? (As implemented today in several browsers?). The answer is immediately and obviously no.
What tools exist to mitigate this concern? As browser operators, we have two choices:1) Only allow the origin to affect that origin.2) Defer the decision to the user, hoping they're sufficiently aware and informed of the risks and implications.1) is entirely viable if <keygen> were kept around, but it would entirely eliminate the value proposition of <keygen> from those arguing for it being kept (both on this thread and the similar Mozilla thread - https://groups.google.com/d/msg/mozilla.dev.platform/pAUG2VQ6xfQ/FKX63BwOIwAJ ). So we can quickly rule that out as causing the same concerns.
2) is not a viable pattern. You yourself have commented on past threads on encouraging TLS adoption what you view of the complexity involved in certificate management, and these are challenges being faced by populations with a modicum of technical background (web developers, server operators, the like). Surely you can see these challenges - and concepts - of key management and hygiene are well beyond the ken of the average user. But let's assume we could draft some perfect language to communicate to the user, what would we need to communicate?"If you continue, this website may be able prevent your machine from accessing the Internet?""If you continue, this website may be able to allow arbitrary parties to intercept all of your secure communications?"
Is that a reasonable permission to grant? No, absolutely not. But that's what <keygen> - and the related application/x-x509-*-cert - rely on. That itself is a fundamental problem, and one which is not at all reasonable to ask.
I do hope you can re-read my original message and see the many, fundamental, by-design issues with <keygen>. It's existence was to compete with a Microsoft-developed ActiveX system management control intended for internal networks only, and whose inception predated even the modern extension systems now used for management of Mozilla Firefox. I don't deny that you've found utility in the fact that something insecure, and broken by design, has been exposed to the Web, but that's not itself an argument for its continuation. Given the risks, it's also not reasonable to suggest that the feature be held hostage by a small minority of developers, with virtually non-existent group of users, until they can be convinced of technical alternatives. Somewhere, there has to be a split as to what represents a reasonable part of the Web platform - and what represents an artifact of the heady, but terribly insecure, days of the First Browser Wars and the pursuit of vendor-lockin.
1) Firefox at least until recently had its own keychain, so it did not affect all other apps. So your statement is not true for all browsers
3) It would be easy to improve the user interface to allow the user to view and inspect the certificate before accepting it. The user could for example add a small nick name to the certificate to identify it more easily. I can think of a lot of other improvements that would massively improve the UI. (I am available for consultation to help out there)
4) The certificates added allow the user to authenticate to other sites, they were not certifiate authority certificates ( IF a browser automatically added that there would be justified global outcry). These client certificates do not influence the security of the web.
5) Your argument would apply just as well for adding passwords to the keychain too. I don't think many people would be convinced that that was a great problem. I myself find that feature really nice by the way. It allows me to move between Safari and Chrome from time to time ( and to Firefox with an addon ), without having to add all the passwords back again. The reason I never used Opera was the fact that I could never extract passwords again from their keychain. I did not want to invest in a browser that did not give me the freedom to switch later.
You have not provided an argument here based on first principles. If you had it would not be so easy to show how minor improvements to the UI could change the situation. I think your problem here is that you are so focused on the crypto or the lower layers that you fail to take into account the dimensions closer to the user that involve psychology, artistic design, etc...Of course if you don't take those dimensions into account I can see how you can come to the conclusion that your argument is fail safe.
yes, a keygen that would create a certificate that allowed you to log in to one site only would not be very interesting. Kind of defeating the whole point of asymmetric crypto.
This would only be the case if the browser allowed Certificate Authority level certificates to be installed. But the browsers usually have 3 different levels of certificates which go into different boxes that are isolated: user certificates, user installed CA certificates and browser CA installed certificates.
yes, but it is a straw man, as I don't think any browser automatically would allow CA based certificates to be added.
From the above I don't get the feeling that you really understand how the certificate systems work. What am I missing here?
On Fri, Jul 31, 2015 at 3:40 PM, <henry...@gmail.com> wrote:1) Firefox at least until recently had its own keychain, so it did not affect all other apps. So your statement is not true for all browsersI never said it was.3) It would be easy to improve the user interface to allow the user to view and inspect the certificate before accepting it. The user could for example add a small nick name to the certificate to identify it more easily. I can think of a lot of other improvements that would massively improve the UI. (I am available for consultation to help out there)While generous, I already demonstrated why this is a fundamentally flawed argument.
4) The certificates added allow the user to authenticate to other sites, they were not certifiate authority certificates ( IF a browser automatically added that there would be justified global outcry). These client certificates do not influence the security of the web.This is factually wrong, as responded to below.
5) Your argument would apply just as well for adding passwords to the keychain too. I don't think many people would be convinced that that was a great problem. I myself find that feature really nice by the way. It allows me to move between Safari and Chrome from time to time ( and to Firefox with an addon ), without having to add all the passwords back again. The reason I never used Opera was the fact that I could never extract passwords again from their keychain. I did not want to invest in a browser that did not give me the freedom to switch later.Yes, and we no longer do. So that's also consistent :)
You have not provided an argument here based on first principles. If you had it would not be so easy to show how minor improvements to the UI could change the situation. I think your problem here is that you are so focused on the crypto or the lower layers that you fail to take into account the dimensions closer to the user that involve psychology, artistic design, etc...Of course if you don't take those dimensions into account I can see how you can come to the conclusion that your argument is fail safe.While I appreciate your concern about what I am and am not thinking about, you will find that the very message you were replying to was focused very much on these. My past replies to you, in the WebCrypto WG (and WebCrypto CG) and on the bugs you have filed have also provided ample evidence why it's not a UI issue, but a technical one. It's clear I won't be able to convince you of that any further, but I do want to highlight the very real disagreement with your assertions.
yes, a keygen that would create a certificate that allowed you to log in to one site only would not be very interesting. Kind of defeating the whole point of asymmetric crypto.This is a statement that makes no sense. It defeats the point of _your_ goal, but it's perfectly consistent with asymmetric crypto. There is no requirement for multi-party exchanges in public/private keypairs.
This would only be the case if the browser allowed Certificate Authority level certificates to be installed. But the browsers usually have 3 different levels of certificates which go into different boxes that are isolated: user certificates, user installed CA certificates and browser CA installed certificates.Sorry Henry, but this isn't the case.Let me make it absolutely clear, although I stated as much in the original message: Installing client certificates is a risky and dangerous operation that can break the ability for a user to securely browse the web. This is true for ALL platforms I'm concerned about (e.g. all the platforms on Chrome). I cannot make this more abundantly obvious, but the sheer act of installing a client certificate is a _dangerous_ operation, and one on which the entire premise of WebID is balanced.
yes, but it is a straw man, as I don't think any browser automatically would allow CA based certificates to be added.No, you're ignoring what I wrote in the original message. Through simple use of <keygen> - without any certificates - I can break users devices. Full stop.
Now you can argue it's a "bug" that needs fixing - and I agree, the fact that a <keygen> tag can do this IS quite unfortunate AND well known (although not by the WebID folks, it would seem). But the question is whether or not there is anything worth saving in <keygen> in the face of bugs like this - and the many other reasons I outlined in the original message - and the answer is increasingly "No".
From the above I don't get the feeling that you really understand how the certificate systems work. What am I missing here?Thanks for the vote of confidence. This will be my last reply, as I've yet again been suckered into making a good faith attempt to explain to you the issues.
[snip]
On Tue, Jul 28, 2015 at 1:47 PM, David Benjamin <davi...@chromium.org> wrote:
[snip]
This is allowing a website to inject a certificate and key pair into the global key store for use *by* your native email client. Now, this is also not thaaaat uncommon of an inter-application integration point, but it's one whose ramifications are extremely unclear. And the way it is done with <keygen> is pretty horrific. Websites can spam the key store with persistent private keys, all of which are orphaned and useless. Only a week later, when the CA has approved your certificate request, does the key then get bound to a certificate and become usable. But, even then, we can either do it without prompting (and now my store is further spammed) or we can do it with a prompt that no user will understand ("would you like to add this certificate to your certificate store?").
That's a stronger argument and one that resonates with me.
It's just a bad mechanism all around. A much much better mechanism would be, as Ryan describes below, for the enrollment application to construct a PKCS#12 bundle (or some other format) with both key and certificate and then we pass that bundle off somewhere to import as one unit. Before the two halves are correlated, storage of the private key is the enrollment application's responsibility and falls under the isolation and other policies of any other web application storage.
Skimming the list for some arguments on the danger of client certificate generation I found this.
On Tuesday, 28 July 2015 23:28:44 UTC+2, Alex Russell wrote:[snip]This is allowing a website to inject a certificate and key pair into the global key store for use *by* your native email client. Now, this is also not thaaaat uncommon of an inter-application integration point, but it's one whose ramifications are extremely unclear. And the way it is done with <keygen> is pretty horrific. Websites can spam the key store with persistent private keys, all of which are orphaned and useless. Only a week later, when the CA has approved your certificate request, does the key then get bound to a certificate and become usable. But, even then, we can either do it without prompting (and now my store is further spammed) or we can do it with a prompt that no user will understand ("would you like to add this certificate to your certificate store?").That's a stronger argument and one that resonates with me.It looks like this would be quite easy to fix on the browser side by:1) placing the generated private key with metadata ( when was it generated, on which site, what form fields were filled in, etc ) in a browser specific store
2) if the certificate is then downloaded to use all this metadata to remind the user of when this was done. The further back it is the more detail obviously needs to be given to remind the user of what he was trying to do.
3) sites that do certificate spamming should then obvious to the user who can then avoid them like any other spamming site
Note that in the WebID-TLS authentication protocol we can get the certificate to be returned IMMEDIATELY. There is no need to go through a CA "verification" procedure. The extra information could be added and removed later by the CA by adding or removing relations from the WebID Profile document or from other linked documents ( see details in the documents http://www.w3.org/2005/Incubator/webid/spec/ ).
It's just a bad mechanism all around. A much much better mechanism would be, as Ryan describes below, for the enrollment application to construct a PKCS#12 bundle (or some other format) with both key and certificate and then we pass that bundle off somewhere to import as one unit. Before the two halves are correlated, storage of the private key is the enrollment application's responsibility and falls under the isolation and other policies of any other web application storage.I can't quite tell from the description, but this raises alarm bells a it sounds like it would allow the private key to leak out to a wider world. The way things work currently where the private key is under the full and only control of the browser is much more secure.
On Sat, Aug 1, 2015 at 4:27 AM <henry...@gmail.com> wrote:Skimming the list for some arguments on the danger of client certificate generation I found this.
On Tuesday, 28 July 2015 23:28:44 UTC+2, Alex Russell wrote:[snip]This is allowing a website to inject a certificate and key pair into the global key store for use *by* your native email client. Now, this is also not thaaaat uncommon of an inter-application integration point, but it's one whose ramifications are extremely unclear. And the way it is done with <keygen> is pretty horrific. Websites can spam the key store with persistent private keys, all of which are orphaned and useless. Only a week later, when the CA has approved your certificate request, does the key then get bound to a certificate and become usable. But, even then, we can either do it without prompting (and now my store is further spammed) or we can do it with a prompt that no user will understand ("would you like to add this certificate to your certificate store?").That's a stronger argument and one that resonates with me.It looks like this would be quite easy to fix on the browser side by:1) placing the generated private key with metadata ( when was it generated, on which site, what form fields were filled in, etc ) in a browser specific store2) if the certificate is then downloaded to use all this metadata to remind the user of when this was done. The further back it is the more detail obviously needs to be given to remind the user of what he was trying to do.
This does not address the key-spamming issue..
Installing client certificates is a risky and dangerous operation that can break the ability for a user to securely browse the web. This is true for ALL platforms I'm concerned about (e.g. all the platforms on Chrome). I cannot make this more abundantly obvious, but the sheer act of installing a client certificate is a _dangerous_ operation [snip]
Or are you proposing that keygen include a user prompt too? Both this and the prompt below are going to be incomprehensible to most users
3) sites that do certificate spamming should then obvious to the user who can then avoid them like any other spamming siteThis kind of scheme would be rejected today. Installing user certificates modifies state outside an origin and thus cannot just be resolved by the user deciding not to visit the site anymore.
Client certificates are also mired with legacy assumptions by other uses. Deployments expect that certificates from the system-wide store be usable which constrains changes.
This should be using an origin-scoped storage API. We already have more of those than I can count. I believe WebCrypto intentionally declined to add a new one and (correctly) leans on existing ones. We cannot add random APIs for every niche use case that comes up. Instead, we should add a minimal set of APIs that allow maximal flexibility and power while satisfying other goals. (Easy to develop for, satisfies security policies, etc.) keygen and x-x509-user-cert satisfy none of this. They're pure legacy.
Note that in the WebID-TLS authentication protocol we can get the certificate to be returned IMMEDIATELY. There is no need to go through a CA "verification" procedure. The extra information could be added and removed later by the CA by adding or removing relations from the WebID Profile document or from other linked documents ( see details in the documents http://www.w3.org/2005/Incubator/webid/spec/ ).
In that case, you have no need for persistent storage and can simply hold the key in memory while waiting for the certificate to be minted.
It's just a bad mechanism all around. A much much better mechanism would be, as Ryan describes below, for the enrollment application to construct a PKCS#12 bundle (or some other format) with both key and certificate and then we pass that bundle off somewhere to import as one unit. Before the two halves are correlated, storage of the private key is the enrollment application's responsibility and falls under the isolation and other policies of any other web application storage.I can't quite tell from the description, but this raises alarm bells a it sounds like it would allow the private key to leak out to a wider world. The way things work currently where the private key is under the full and only control of the browser is much more secure.
If you can't trust your origin then your enrollment application is already bust. The web's security model assumes that code running in an origin is running on behalf of that origin, just like native code must avoid arbitrary code exec on a traditional platform. In MIT's enrollment system, for instance, the origin is already trusted to handle the user's password, a more valuable credential than the certificates it mints.
Perhaps WebID's enrollment application doesn't have a password it verifies. But defending an origin from itself is not consistent with the browser's security model. We can build mechanisms to help an origin maintain its integrity (CSP, SRI) or help an origin subdivide itself (<iframe sandbox> or this per-page suborigins proposal I've seen floating around), but trying to defend an origin from *all* of itself doesn't make sense. That boils down to moving entire applications into the browser with one-off single-use-case APIs (like keygen and x-x509-user-cert). That is not how to develop a platform. It would be absurd to add a playChess() API to protect your chess win rate from a compromised https://chess.example.com origin.
David
Jeffrey
For an example of the embarrassment and chaos caused when Mozilla removed the crypto.signText API without checking with anybody, and without offering any replacement, see this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1083118
> Reading it earlier today I wondered how would a random site I come across
> know what iframe or service worker to communicate with, given that it does
> not yet know who I am? Currently this is done using the well known NASCAR
> pattern that is: a site one goes to lists all the top centralised providers
> with which one can log on. ( see https://indiewebcamp.com/NASCAR_problem )
> The nascar solution to the problem just re-inforces centrlaised players, is
> bad for the web, and is a UI disaster.
>
> How do you deal with this without the user needing to type in a URL for his
> account? With WebID the browser presents a set of certificates which the
> user can then just select from using point and click. Furthermore that is
> recogniseably part of the chrome.
Doesn't WebID already assume users know their identifying URL?
On Tue, Aug 4, 2015 at 4:50 PM, <min...@sharp.fm> wrote:For an example of the embarrassment and chaos caused when Mozilla removed the crypto.signText API without checking with anybody, and without offering any replacement, see this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1083118I wouldn't call that embarrassment and chaos - that was Mozilla being good stewards of the platform and removing Browser-specific public APIs that have never been implemented by any other browser, nor would they be. While Mozilla ultimately decided to fund development of an extension to replace it, it did so primarily because it was clear that the software vendors were selling products with a clear intent to "only support Firefox", and were unwilling or unable to engineer solutions that were browser agnostic.This sort of gets to the core point - whether or not it's a healthy function of a browser to encourage and enable developers to write sites that are browser-specific. The answer is, for most browsers, "Definitely not". That is, openness and interoperability is key.
So then the next question is whether <keygen>, window.crypto.signText, generateCRMFRequest, application/x-x509-*-cert, or any of these other "PKI management" functions have a role in the open web platform. And the answer there is, again, no; they're artifices of an early time when security was an afterthought and a rational, interoperable web platform that can scale to billions of devices - from your phone to your PC to your TV - was not a priority.
I know Mozilla does not view this as a success story - that is, that governments and banks rely on these non-standard features.
Our own experiences with the vendors selling these governments/banks software is that they are some of the worst actors for standards compliance, and consistently fail to properly implement what they're supposed to for smart cards, so it comes as no surprise that they would use a variety of non-standard features (and worse, unnecessarily so, since they ended up developing plugins to support other browsers and they could have just done the same in Firefox).However, none of this is relevant to <keygen>, for which the metrics - both crawler and real world usage - show there's virtually no usage, and there are alternatives for what Chrome has implemented (I clarify this to ensure that no improper parallels to Firefox are drawn, but even still, alternatives exist for Firefox as well)
On Aug 4, 2015 10:55 PM, <henry...@gmail.com> wrote:
>
> yes, and keygen has been tested and is now part of html5.
>
> http://www.w3.org/TR/html5/forms.html#the-keygen-element
I encourage you to review the history behind this. Even at the time of inclusion, there was significant disagreement, and its inclusion was historic documentation, not aspirational inclusion. And what is in the spec is, again, not what is implemented, so pointing to the spec as proof of standardization is highly misleading.
>
> Often what happens is that something is first tried out in the wild, then if it shows potential it is standardised.
And when it doesn't, and the experiment fails, it's removed.
The experiment had failed.
> In the same way, Keygen was non standard to start off with, even though it was deployed in at least 3 browsers for about 10 years.
Never interoperably.
> They are standard: they are in HTML5!
My entire comment was about the bits that Mozilla only ever implemented - the very thing I was replying to. window.crypto.signText and generateCRMFRequest, two Firefox only features that were never implemented by another browser, but depressingly and unnecessarily became a core part of certain software vendors' offering to government and banking clients. There's no reason for that.
Again, given the opposition to <keygen> by one major browser (who objected at the time to even including in the spec - and which Chrome didn't support for several years after anyways), given our fundamental security concerns, and given Mozilla's vastly different implementation (which they too are looking to remove), it's somewhat silly to argue this is something with consensus and a bright future.
You keep suggesting it is merely an issue of UI, as you have for four years. I've explained repeatedly to you why it isn't. I wrote the Chrome implementation for multiple platforms. I maintain the code underlying Firefox's implementation. I'm extensively familiar with Microsoft's cryptographic APIs down to the assembly level. I've worked with governments and finance on the systems that have relied on such features, and work extensively with CAs and the web PKI, and participate in the IETF TLS WG. This is not a matter of me not understanding certificate systems, as you've suggested, but rather being all too painfully aware of the non-future such systems have, and the many fundamental problems that WebID has.
At this point, I'm not sure what more I can do for you. I am 100% confident that secure and viable alternatives exist for the things that are reasonable, and 100% confident that some of what WebID wants is hostile to security and privacy and thus unreasonable for the platform. I don't think it's reasonable to suggest holding deprecation hostage until Chromium engineers write an alternative, much as was done to Mozilla engineering (not by WebID explicitly, go be clear), but I am wholly convinced - knowing the WebID spec AND how many of the implementations work and have worked for years - that WebID will find suitable and viable alternatives once motivated.
Since it seems we will continue to disagree on even the most basic, core points - such as the documented history of <keygen> and its status of interoperability - and because the security and privacy concerns are wholly being dismissed - I think it best that this be my last reply to you, for I fear we have nothing more productive to offer, and it seems that no matter how much evidence or history provided, we will still keep circling on these points.
The exciting part for you should be that although <keygen> is a demonstrable technological dead end, now, more then ever is there ample means and opportunity to explore ways in creating new APIs that work for the web. There is ample means to polyfill high level APIs based on the low level primitives available, such as WebCrypto and Service Workers, and browsers more than ever provide ample opportunity to explore even new low level primitives such as via extensions. This gives you plenty of tools to explore different shapes of a new API that can address the many fundamental, by design, flaws of <keygen>, and then propose them for standardization if they end up being meaningful. In the process, it can also help the WebID supporters discover how much, if not all, of what they want can be replaced with a simple JavaScript file.
On Aug 4, 2015 10:55 PM, <henry...@gmail.com> wrote:
>> yes, and keygen has been tested and is now part of html5.
>
> http://www.w3.org/TR/html5/forms.html#the-keygen-elementI encourage you to review the history behind this. Even at the time of inclusion, there was significant disagreement, and its inclusion was historic documentation, not aspirational inclusion. And what is in the spec is, again, not what is implemented, so pointing to the spec as proof of standardization is highly misleading.
>
> Often what happens is that something is first tried out in the wild, then if it shows potential it is standardised.And when it doesn't, and the experiment fails, it's removed.
The experiment had failed.
> In the same way, Keygen was non standard to start off with, even though it was deployed in at least 3 browsers for about 10 years.
Never interoperably.
> They are standard: they are in HTML5!
My entire comment was about the bits that Mozilla only ever implemented - the very thing I was replying to. window.crypto.signText and generateCRMFRequest, two Firefox only features that were never implemented by another browser, but depressingly and unnecessarily became a core part of certain software vendors' offering to government and banking clients. There's no reason for that.
Again, given the opposition to <keygen> by one major browser (who objected at the time to even including in the spec - and which Chrome didn't support for several years after anyways), given our fundamental security concerns, and given Mozilla's vastly different implementation (which they too are looking to remove), it's somewhat silly to argue this is something with consensus and a bright future.
You keep suggesting it is merely an issue of UI, as you have for four years. I've explained repeatedly to you why it isn't. I wrote the Chrome implementation for multiple platforms. I maintain the code underlying Firefox's implementation. I'm extensively familiar with Microsoft's cryptographic APIs down to the assembly level. I've worked with governments and finance on the systems that have relied on such features, and work extensively with CAs and the web PKI, and participate in the IETF TLS WG. This is not a matter of me not understanding certificate systems, as you've suggested, but rather being all too painfully aware of the non-future such systems have, and the many fundamental problems that WebID has.
At this point, I'm not sure what more I can do for you. I am 100% confident that secure and viable alternatives exist for the things that are reasonable, and 100% confident that some of what WebID wants is hostile to security and privacy and thus unreasonable for the platform. I don't think it's reasonable to suggest holding deprecation hostage until Chromium engineers write an alternative, much as was done to Mozilla engineering (not by WebID explicitly, go be clear), but I am wholly convinced - knowing the WebID spec AND how many of the implementations work and have worked for years - that WebID will find suitable and viable alternatives once motivated.
On Aug 5, 2015 12:20 PM, "Melvin Carvalho" <melvinc...@gmail.com> wrote:
>
> And this seems a common misconception of the technology.
It doesn't matter the why, so much as the how, and whether alternatives exist for that. And they do.
> I can testify that there are millions of webid identities on the web across hundreds of sites (still tiny compared with the web at large) but not zero.
As someone responsible for creating over a thousand of those trying to dig into bugs, I suspect that the numbers here are far more misleading.
> Our goal with webid was for users to be able to authenticate without necessarily building huge password silos that have been commonplace. We didnt know how to do it, until it was noticed that client side authentication was built into most browsers, and has been for over a decade.
And doesn't work with HTTP/2 and is significantly simplified in TLS1.3, both in ways incompatible with WebID without reengineering it.
>
> The main advantage of this is that it is tested and we dont have a 10 year lead time to wait for getting it to users.
But it isn't tested. Like, literally, it isn't tested. Firefox or Chrome. Because the interactions with the platform can't be reliably tested dud to the side effects.
Which is yet another problem.
>
> The system works quite well, and in our small community, which we acknowledge KEYGEN is not perfect, we have yet to have a single security violation reported in 4 years.
That's great, but I didn't say WebID was fundamentally insecure, I said <keygen> and application/x-x509* are. And they're insecure in a way that no one would ever report to you, because its a browser security issue fundamentally.
> The main issue we have come across is that there is a perception that the certificate dialog is confusing for end users. For example firefox has a "remember this choice" button, but it doesnt actually remember that choice. Other things like it being text based, rather than, text and avatar based make it look dated to some people.
It's far, far more than that, but you don't see those issues because you're held back by the basics. And let's not forget that logout is fundamentally incompatible with the Web as designed and works. It really is. TLS sessions don't work like you want. HTTP connection pooling doesn't work like you need. Browser logic to support client certificates where they are used in abundance (enterprises) is incompatible with WebID. Even mobile platforms like Android and iOS explicitly don't work like you need. And you won't solve that with UI.
The premise is that <keygen> is necessary because client certs are necessary, but the client certs are a technological dead end for the How of what WebID is trying to accomplish - irreparably so, and has been, and you acknowledge - and so too does <keygen> as a vector to those represent a flawed conclusion.
> So in summary, WebID is perhaps used more that some may think, and we'd love to improve it. No one is trying to hold anyone hostage. But please hold off deprecating things a little longer, until we can agree on good usable and tested alternatives, and we'd really appreciate it if some resource could be spent making what's there today be a little more usable.
I've been communicating these points to folks involved in WebID for years, on the bugs, at W3C meetings, and in emails. The WebID work has not seen any measurable advance on these measures in four years. It's also clear, from your own numbers, that the number of sites affected is in the hundreds, if that. I certainly have evidence that the numbers of actual Chrome users encountering WebID are on a similar order of magnitude. To the extent it will be disruptive to WebID, I readily acknowledge, but to the impact at the web and to users, it's demonstrably and admittedly a vocal minority, where the number of emails we've sent alone discussing it is within an order of magnitude of sites actually affected.
On Aug 4, 2015 10:55 PM, <henry...@gmail.com> wrote:
>> yes, and keygen has been tested and is now part of html5.
>
> http://www.w3.org/TR/html5/forms.html#the-keygen-elementI encourage you to review the history behind this. Even at the time of inclusion, there was significant disagreement, and its inclusion was historic documentation, not aspirational inclusion. And what is in the spec is, again, not what is implemented, so pointing to the spec as proof of standardization is highly misleading.
>
> Often what happens is that something is first tried out in the wild, then if it shows potential it is standardised.And when it doesn't, and the experiment fails, it's removed.
The experiment had failed.
> In the same way, Keygen was non standard to start off with, even though it was deployed in at least 3 browsers for about 10 years.
Never interoperably.
> They are standard: they are in HTML5!
My entire comment was about the bits that Mozilla only ever implemented - the very thing I was replying to. window.crypto.signText and generateCRMFRequest, two Firefox only features that were never implemented by another browser, but depressingly and unnecessarily became a core part of certain software vendors' offering to government and banking clients. There's no reason for that.
Again, given the opposition to <keygen> by one major browser (who objected at the time to even including in the spec - and which Chrome didn't support for several years after anyways), given our fundamental security concerns, and given Mozilla's vastly different implementation (which they too are looking to remove), it's somewhat silly to argue this is something with consensus and a bright future.
You keep suggesting it is merely an issue of UI, as you have for four years. I've explained repeatedly to you why it isn't. I wrote the Chrome implementation for multiple platforms. I maintain the code underlying Firefox's implementation.
I'm extensively familiar with Microsoft's cryptographic APIs down to the assembly level.
I've worked with governments and finance on the systems that have relied on such features, and work extensively with CAs and the web PKI, and participate in the IETF TLS WG. This is not a matter of me not understanding certificate systems, as you've suggested, but rather being all too painfully aware of the non-future such systems have, and the many fundamental problems that WebID has.
At this point, I'm not sure what more I can do for you. I am 100% confident that secure and viable alternatives exist for the things that are reasonable, and 100% confident that some of what WebID wants is hostile to security and privacy and thus unreasonable for the platform.
I don't think it's reasonable to suggest holding deprecation hostage until Chromium engineers write an alternative, much as was done to Mozilla engineering (not by WebID explicitly, go be clear), but I am wholly convinced - knowing the WebID spec AND how many of the implementations work and have worked for years - that WebID will find suitable and viable alternatives once motivated.
Since it seems we will continue to disagree on even the most basic, core points - such as the documented history of <keygen> and its status of interoperability - and because the security and privacy concerns are wholly being dismissed - I think it best that this be my last reply to you, for I fear we have nothing more productive to offer, and it seems that no matter how much evidence or history provided, we will still keep circling on these points.
The exciting part for you should be that although <keygen> is a demonstrable technological dead end, now, more then ever is there ample means and opportunity to explore ways in creating new APIs that work for the web. There is ample means to polyfill high level APIs based on the low level primitives available, such as WebCrypto and Service Workers, and browsers more than ever provide ample opportunity to explore even new low level primitives such as via extensions.
This gives you plenty of tools to explore different shapes of a new API that can address the many fundamental, by design, flaws of <keygen>, and then propose them for standardization if they end up being meaningful. In the process, it can also help the WebID supporters discover how much, if not all, of what they want can be replaced with a simple JavaScript file.
Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
[1] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[2] https://wiki.mozilla.org/CA:Certificate_Download_Specification
Motivation
History: <keygen> was an early development by Mozilla to explore certificate provisioning. Originally Firefox exclusive, it was adopted by several mobile platforms (notably, Nokia and Blackberry), along with support for the certificate installation mime-types. During the First Browser Wars, Microsoft provided an alternative, via ActiveX, called CertEnroll/XEnroll. When iOS appeared on the scene, <keygen> got a boost, as being the initial way to do certificate provisioning, and along with it brought support into Safari. It was then retro-spec'd into the HTML spec.
Issues: There are a number of issues with <keygen> today that make it a very incompatible part of the Web Platform.
1) Microsoft IE (and now Edge) have never supported the <keygen> tag, so its cross-browser applicability is suspect. [3] Microsoft has made it clear, in no uncertain terms, they don't desire to support Keygen [4][5]
2) <keygen> is unique in HTML (Javascript or otherwise) in that by design, it offers a way to persistently modify the users' operating system, by virtue of inserting keys into the keystore that affect all other applications (Safari, Chrome, Firefox when using a smart card) or all other origins (Firefox, iOS, both which use a per-application keystore)
3) <keygen> itself is not implemented consistently across platforms, nor spec'd consistently. For example, Firefox ships with a number of extensions not implemented by any other browser (compare [6] to [7])
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
5) <keygen> just generates keys, and relies on application/x-x509-*-cert to install certificates. This MIME handling, unspecified but implemented by major browsers, represents yet-another-way for a website to make persistent modifications to the user system.
6) Mozilla (then Netscape) quickly realized that <keygen> was inadequate back in the early 2000s, and replaced it with window.crypto.generateCRMFRequest [8], to compete with the CertEnroll/XEnroll flexibility, but recently removed support due to being Firefox only. This highlights that even at the time of introduction, <keygen> was inadequate for purpose.
[3] https://connect.microsoft.com/IE/feedback/details/793734/ie11-feature-request-support-for-keygen
[4] https://lists.w3.org/Archives/Public/public-html/2009Sep/0153.html
[5] https://blog.whatwg.org/this-week-in-html5-episode-35
[6] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
[7] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[8] https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto/generateCRMFRequest
Compatibility Risk
While there is no doubt that <keygen> remains used in the wild, both the use counters [9] and Google's own crawler indicate that it's use is extremely minimal. Given that Mozilla implements a version different than the HTML spec, and given that Microsoft has made it clear they have no desire to implement, the compatibility risk is believed to be low in practice.
Mozilla is also exploring whether or not to remove support for the application/x-x509-*-cert types [10], but has not yet (to my knowledge) discussed <keygen> support - either aligning with the (much more limited) spec, extending the spec with the Mozilla-specific extensions, or removing support entirely.
On the application/x-x509-*-cert support, there is a wide gap of interoperability. Chrome does not support multiple certificates, but Firefox does. Firefox will further reorder certificates that are inconsistent with what was specified, offering a non-standard behaviour. Chrome does not support application/x-x509-ca-cert on Desktop, and on Android, defers to the platform capabilities, which further diverge from Firefox. Both browsers have the underspecified behaviour of requiring the user having a matching key a-priori, except that's not detailed as to how it works. Firefox also handles various mis-encodings (improper DER, DER when it should be base64), which Chrome later implemented, but is not well specified.
Alternative implementation suggestion for web developers
The primary use cases for <keygen>, from our investigations, appear to be tied to one of two use cases:
- Enterprise device management, for which on-device management capabilities (Group Policies, MDM profiles, etc) represent a far more appropriate path. That is, you would not expect a web page to be able to configure a VPN or a users proxy, so too should you not expect a webpage to configure a user's system key store.
- CA certificate enrollment, for which a variety of alternatives exist (e.g. integrated to the web server, CA specific-tools such as SSLMate or protocols such as Let's Encrypt, etc). Here again, it does not seem reasonable to expect your web browser to configure your native e-mail client (such as for S/MIME)
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
On some level, this removal will remove support for arbitrarily adding keys to the users' device-wide store, which is an intentional, by-design behaviour.
While a use case exists for provisioning TLS client certificates for authentication, such a use case is inherently user-hostile for usability, and represents an authentication scheme that does not work well for the web. An alternative means for addressing this use case is to employ the work of the FIDO Alliance [12], which has strong positive signals from Microsoft and Google (both in the WG), is already supported via extensions in Chrome [13], with Mozilla evaluating support via similar means [14]. This offers a more meaningful way to offer strong, non-phishable authentication, in a manner that is more privacy preserving, offers a better user experience, better standards support, and more robust security capabilities.
On 26 Aug 2015, at 02:21, samuel...@gmail.com wrote:One of the main differences between Webcrypto and keygen besides the ability to work with the server to create TLS certs is that the only secure browser chrome driven system that seems to exist for user security is TLS client auth. Webcrypto solves a lot of issues in theory by making private keys non-extractable by choice and the API immutable but the weakness that still exists in an overarching fashion is the nature of control the server has over the executing JS. Ideally, there should be some sort of visual component to Webcrypto that allows it to work purely in the interest of the user, such that a malicious server is unable to purposefully get ahold of a private key whether by using handrolled crypto libs that appear to work as intended but arent native and therefore exposing the private key to the server invisibly or even just the server setting extractable to true and getting the private key invisibly (invisibly assuming the person isn't combing their network requests). There needs to be some sort of browser chrome driven way for the user to be confident that a malicious server simply could not get ahold of their private keys because their private keys were generated in browser, unextractably. The only interface that exists for anything like this at all is keygen and client cert chrome. I do not believe this is an absurd use case given that web crypto is a standard now. The key discovery standard which no one has implemented yet may address some of these things, I am unsure, but the point still stands that whether client auth TLS is a good thing or not, there really should be some sort of in browser crypto that truly works in favor of the user even so that a malicious server cannot "win" by dictating all facets of the JS execution.
On 26 Aug 2015, at 02:21, samuel...@gmail.com wrote:One of the main differences between Webcrypto and keygen besides the ability to work with the server to create TLS certs is that the only secure browser chrome driven system that seems to exist for user security is TLS client auth. Webcrypto solves a lot of issues in theory by making private keys non-extractable by choice and the API immutable but the weakness that still exists in an overarching fashion is the nature of control the server has over the executing JS. Ideally, there should be some sort of visual component to Webcrypto that allows it to work purely in the interest of the user, such that a malicious server is unable to purposefully get ahold of a private key whether by using handrolled crypto libs that appear to work as intended but arent native and therefore exposing the private key to the server invisibly or even just the server setting extractable to true and getting the private key invisibly (invisibly assuming the person isn't combing their network requests). There needs to be some sort of browser chrome driven way for the user to be confident that a malicious server simply could not get ahold of their private keys because their private keys were generated in browser, unextractably. The only interface that exists for anything like this at all is keygen and client cert chrome. I do not believe this is an absurd use case given that web crypto is a standard now. The key discovery standard which no one has implemented yet may address some of these things, I am unsure, but the point still stands that whether client auth TLS is a good thing or not, there really should be some sort of in browser crypto that truly works in favor of the user even so that a malicious server cannot "win" by dictating all facets of the JS execution.I think one can make a slightly stronger point. You speak here of a malicious server. What people tend to think of here is a server that has been broken into, and root taken. Perhaps code in the Apache or Ngingx server has been changed surrpetitiously. The problem is: nothing this dramatic needs to have taken place.With javascript same origin policy and some HTTP upload method like WebDAV - even if well secured to only allow a specific set of users to upload anything - any javascript uploaded to the origin anywhere can potentially get access to those private keys in the browser local storage and then use it to impersonate the user. This is not true of uploaded html, css, or any other data. Furthermore: since JS is turing complete language, it can be near impossible for an advanced programmer to tell if a piece of code uploaded is actually doing something malicious.
The only way to secure a server then is to not allow any upload anywhere of any JS. But then how would one use the JS Crypto libs?
If the JS crypto libs had a way to get the user to sign things through the chrome and everyone be guaranteed that the JS never had access to the private keys, then it would be possible to distinguish who had signed what with the private key x of some public key.
Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
However, seeing as how it looks like deprecation is imminent and furthermore I get to a degree, in principle, why it is occurring, I would like to know if there is any movement in attempting to push forward the key discovery spec that for some reason was split from the WebCrypto spec.
not trust that the Javascript served to you did what it was supposed to and used WebCrypto with extract set to false.
I referred to weaknesses with WebCrypto when there is a malicious server, which I see implies a server that was taken over. A malicious server may be a bad term. There are plenty of reasons to desire a server in which no trust is placed but still is used. For example: someone wants to host signed documents. The server shouldn't need to be trusted, but it can still host signatures and documents. This is a completely legitimate reason for a server that is not rooted or even actively malicious to be barred from private keys: the guarantee that comes with it even if no one on the other end is actually trying to forge things.
for example the site could sign anything they wanted in the user's name, decrypt things and get the message defeating encryption, or attack the key as the WebCrypto API essentially provides a ton of oracles and a lot of crypto breaks when this is possible.
This, unfortunately is on no road maps and just me speculating.
Even, say, if there was something as simple as non-subtle implementations of public key authentication protocols that were browser assisted using the WebCrypto API.. essentially a replacement for client SSL certs where the authentication was separated from the keygen tag, the automatic server assisted cert generation/installation and TLS connections themselves, but where the browser still exerted some level control in favor of the user.
Tl;dr what I would like to know is, if anything, is the key discovery API on track for implementation?
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
On Mon, Aug 31, 2015 at 7:40 PM, <samuel...@gmail.com> wrote:However, seeing as how it looks like deprecation is imminent and furthermore I get to a degree, in principle, why it is occurring, I would like to know if there is any movement in attempting to push forward the key discovery spec that for some reason was split from the WebCrypto spec.No, it remains as problematic from privacy, security, and usability as it always has.not trust that the Javascript served to you did what it was supposed to and used WebCrypto with extract set to false.If you can't guarantee this, all pretense of security is lost.I referred to weaknesses with WebCrypto when there is a malicious server, which I see implies a server that was taken over. A malicious server may be a bad term. There are plenty of reasons to desire a server in which no trust is placed but still is used. For example: someone wants to host signed documents. The server shouldn't need to be trusted, but it can still host signatures and documents. This is a completely legitimate reason for a server that is not rooted or even actively malicious to be barred from private keys: the guarantee that comes with it even if no one on the other end is actually trying to forge things.And such systems can and do exist with Web Crypto.for example the site could sign anything they wanted in the user's name, decrypt things and get the message defeating encryption, or attack the key as the WebCrypto API essentially provides a ton of oracles and a lot of crypto breaks when this is possible.Correct.This, unfortunately is on no road maps and just me speculating.Such systems did (kinda) exist, by Firefox, called window.crypto.signText. It was, as you can expect, problematic. The space has been continually explored in a variety of ways - from signing 'plain text' (insufficient for most use cases), signing XML (of which XML DSig is a nightmare, and XAdEs is a joke), signing PDF (with all the attendant issues), signing JSON (not as human readable as you might hope), to even signing manifests of all the things contributing to the DOM (notwithstanding any/all mutations to the DOM that may have modified the internal JS behaviours but then removed themselves from the DOM).
On paper, it looks an easy task. In practice, it's quite unrealistic - which is why the Web Crypto WG ruled it out of scope.Even, say, if there was something as simple as non-subtle implementations of public key authentication protocols that were browser assisted using the WebCrypto API.. essentially a replacement for client SSL certs where the authentication was separated from the keygen tag, the automatic server assisted cert generation/installation and TLS connections themselves, but where the browser still exerted some level control in favor of the user.This exists today. It's part of the work of FIDO Alliance, provides a workable JS API for a constrained set of operations that allow for browser-mediated signatures that can be used for a variety of cases, from providing end-to-end security (vis-a-vis attestantions of Token Binding / Channel ID) to providing bootstrap-able, discover-able signature schemes.
On Tuesday, July 28, 2015 at 9:46:51 PM UTC+2, Ryan Sleevi wrote:
Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
[1] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[2] https://wiki.mozilla.org/CA:Certificate_Download_Specification
Motivation
History: <keygen> was an early development by Mozilla to explore certificate provisioning. Originally Firefox exclusive, it was adopted by several mobile platforms (notably, Nokia and Blackberry), along with support for the certificate installation mime-types. During the First Browser Wars, Microsoft provided an alternative, via ActiveX, called CertEnroll/XEnroll. When iOS appeared on the scene, <keygen> got a boost, as being the initial way to do certificate provisioning, and along with it brought support into Safari. It was then retro-spec'd into the HTML spec.
Issues: There are a number of issues with <keygen> today that make it a very incompatible part of the Web Platform.
1) Microsoft IE (and now Edge) have never supported the <keygen> tag, so its cross-browser applicability is suspect. [3] Microsoft has made it clear, in no uncertain terms, they don't desire to support Keygen [4][5]
2) <keygen> is unique in HTML (Javascript or otherwise) in that by design, it offers a way to persistently modify the users' operating system, by virtue of inserting keys into the keystore that affect all other applications (Safari, Chrome, Firefox when using a smart card) or all other origins (Firefox, iOS, both which use a per-application keystore)
3) <keygen> itself is not implemented consistently across platforms, nor spec'd consistently. For example, Firefox ships with a number of extensions not implemented by any other browser (compare [6] to [7])
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
-1 KEYGEN is in use.
This move will be severely detrimental several grass roots communities, such as the WebID community.
[1] https://www.w3.org/community/webid/participants
On Tuesday, July 28, 2015 at 12:46:51 PM UTC-7, Ryan Sleevi wrote:Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
While the discussion was certainly long and fruitful, and ultimately sparked other browsers to evaluate their support, it does not appear any new information or use cases ultimately came to light beyond those already provided.Given that, I'd like to propose we continue by actively deprecating the <keygen> tag (e.g. "Intent to Deprecate"). Usage sits at/below .0002%, with a slight uptick following the kick-off of this thread.
I think there's going to be a significant uptick in usage as letsenctypt is rolled out and PKI is delivered to the masses on the web.
Do you timeline in mind for when the eventual removal should happen, i.e. a date to put in the deprecation message? In either case, LGTM to deprecate.
Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
[snip]
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
<keygen>
has been deprecated a few days ago, and the issue has been taken up by @timbl on theTechnical Architecture Group as it removes a useful tool in the asymmetric public key cryptography available in browsers.
One reason given for deprecating that recurs often is that keygen
uses MD5 which opens an attack vector presented in a very good paper "MD5 considered harmful today" at the Chaos Communication Congress in Berlin in 2008 by a number of researchers of which Jacob Appelbaum ( aka. @ioerror ) . ( That was the time when Julian Assange was working freely on Wikileaks, so you can even hear him ask a question at the end )
The slides are here:
https://www.trailofbits.com/resources/creating_a_rogue_ca_cert_slides.pdf
The video is here:
http://chaosradio.ccc.de/25c3_m4v_3023.html
In short they were able to create a fake Certificate Authority (CA) because the CA signed its certificates with MD5 and they were able to create hash collisions, to use the certificate signed by the CA
and change some information in it to produce their own top level certificate, with which
they could create a certificate for any site they wished to! ( Pretty awesomely bad - though they did this carefully to avoid misuse ). This is why projects such as IETFs DANE, DNSSEC, and many other improvements to the internet infrastructure are vital.
This was 7 years ago, so all of this should be fixed by now. There should be no CA signing
Server Certificates with MD5 anymore.
Great. But that has nothing to do with what is going on with <keygen>
. The problem
may well be that the documentation of <keygen>
is misleading here. The WHATWG documentation on keygen currently states:
If the keytype attribute is in the RSA state: Generate an RSA key pair using the settings given by the user, if appropriate, using the md5WithRSAEncryption RSA signature algorithm (the signature algorithm with MD5 and the RSA encryption algorithm) referenced in section 2.2.1 ("RSA Signature Algorithm") of RFC 3279, and defined in RFC 3447. [RFC3279] [RFC3447]
By whether or not keygen
wraps the key and signs it with MD5 is of not much importance, since this is the keyrequest we are speaking of here, not the generated certificate!
To summarise how the keygen is actually used:
1. The browser creates a public/private key, saves the private key in the secure keychain
2. and sends the public key in an spkac request to the server which
3. which on receipt of the certificate request and verification of the data, uses that to create a Client Certificate using any signature algorithm it wants for the creation of the certificate ( And so it SHOULD NOT USE MD5: see CCC talk above )
4. which it returns using one of the x509 mime types available to it,
Here is an illustration of the flow that we use in the WebID-TLS spec to illustrate this:
To see some real code implementing this I point you to my ClientCertificateApp.scala code that receives a certificate Request, and either returns an error or a certificate.
The key parts of the code are extracted below:
def generate = Action { implicit request => certForm.bindFromRequest.fold( errors => BadRequest(html.webid.cert.genericCertCreator(errors)), certreq => { Result( //https://developer.mozilla.org/en-US/docs/NSS_Certificate_Download_Specification header = ResponseHeader(200, Map("Content-Type" -> "application/x-x509-user-cert")), body = Enumerator(certreq.certificate.getEncoded) ) } ) }
CertForm
just takes the data from the html form (verifies all fields are ok) and generates a CertReq
object. ( or it can also take a CertReq
object and generate a form, so that errors can be shown to the user )
val certForm = Form( mapping( "CN" -> email, "webids" -> list(of[Option[URI]]). transform[List[URI]](_.flatten,_.map(e=>Some(e))). verifying("require at least one WebID", _.size > 0), "spkac" -> of(spkacFormatter), "years" -> number(min=1,max=20) )((CN, webids, pubkey,years) => CertReq(CN,webids,pubkey,tenMinutesAgo,yearsFromNow(years))) ((req: CertReq) => Some(req.cn,req.webids,null,2)) )
The spkacFormatter
just returns a public key. ( It plays around with testing the challenge, but I am not sure what that is for - would like to know ).
Anyway as I wrote above: if successful the generate method returns an encoded certificate with the right mime type. And as you can see we create a certificate with SHA1withRSA
val sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA") val digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId) val rsaParams = CertReq.issuerKey.getPrivate match { case k: RSAPrivateCrtKey => new RSAPrivateCrtKeyParameters( k.getModulus(), k.getPublicExponent(), k.getPrivateExponent(), k.getPrimeP(), k.getPrimeQ(), k.getPrimeExponentP(), k.getPrimeExponentQ(), k.getCrtCoefficient()); case k: RSAPrivateKey => new RSAKeyParameters(true, k.getModulus(), k.getPrivateExponent()); } val sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(rsaParams); x509Builder.build(sigGen)
So the MD5
plays no serious role in all this.
This should not be a big surprise. The only thing of value sent to the server is the public key. It sends
back a certificate based on that public key ( and other information it may have on the user ). But the only one to be able to use that certificate is the person owning the private key.
Now my code could presumably be improved in many places I doubt not. But this should show how<keygen>
is actually used. After all remember that <keygen>
was added 10 years after it appeared in browsers, and that there was not that much discussion about the documentation when it was added.
Henry,While I appreciate your continued contributions on this matter, unfortunately, you're operating on an incomplete and inaccurate set of information, and much of what you said has little bearing and brings no new information to the table.Regardless of your views, you've heard from others - and you can indeed see from the mail archives from when WHATWG first spec'd keygen - it was *already deprecated* when it was introduced. It was documented for historic sake, as the WHATWG was trying to document the reality of the union of all sorts of browser-features that were then un/under-specified, not as an encouragement or endorsement for implementation or usage.The use of MD5 is required. When vendors explored changing it to support alternative algorithms, it immediately became clear that this was a breaking and incompatible change for the few (limited) <keygen> users. To change this behaviour is expressly a backwards incompatible change - much like you're arguing deprecating is.
$ openssl pkcs12 -clcerts -nokeys -in ~/Certificates.p12 | openssl x509 -text
Enter Import Password:
MAC verified OK
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:4c:19:67:ea:05
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=WebID, O={}
Validity
Not Before: Mar 14 17:39:42 2015 GMT
Not After : Mar 13 17:49:42 2019 GMT
Subject: dnQualifier=he...@bblfish.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:da:b9:d1:e9:41:f6:f8:5a:08:63:16:9d:0d:b6:
32:8d:1d:4a:15:a7:1d:ff:e3:d4:f4:d0:87:52:a5:
2f:b1:45:4d:73:58:e4:a5:ec:f3:50:1e:39:24:bc:
02:52:f3:00:4b:0b:b2:1a:0d:6b:64:ca:05:3f:0f:
bc:b5:a5:4e:c9:3e:be:2d:c9:b9:1e:4c:43:2b:82:
78:84:c4:cc:2a:d8:a1:02:b4:6d:2a:20:17:bf:45:
d9:d4:c8:8a:56:4d:42:02:34:48:4a:1b:2e:44:6d:
bb:4c:d4:38:e7:9c:24:66:ce:31:0f:32:77:73:a7:
79:d2:4e:d7:b6:0a:05:a6:18:b9:84:75:7b:94:6d:
67:ba:79:f2:e0:64:e6:ae:d3:8b:d6:55:9c:e7:fc:
95:02:72:08:23:d5:6d:b1:c0:34:09:93:67:d7:db:
27:b6:bd:af:da:8c:c4:83:47:13:3f:4a:14:67:5f:
67:5f:b4:84:ce:32:df:66:c1:1a:36:38:fa:84:d5:
be:69:b1:a6:f2:38:11:5d:ef:9b:0f:79:bb:25:c0:
cb:7e:4a:39:45:9a:08:29:b1:fd:35:c0:d1:db:dd:
60:f9:c6:79:d8:94:15:ed:7e:a4:1e:b0:2f:bc:01:
6f:c0:e7:92:cb:96:98:c9:f4:db:84:2c:da:d5:b5:
f5:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name: critical
URI:http://bblfish.net/people/henry/card#me
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement, Certificate Sign
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Signature Algorithm: sha1WithRSAEncryption
03:25:38:47:76:34:ba:da:0b:40:ea:75:63:98:6b:b0:0b:b6:
11:85:c7:b1:c4:91:cc:5c:99:a5:b5:01:24:6f:1f:8c:03:39:
80:03:e7:50:59:9f:b0:48:6e:e7:16:b8:b7:92:6f:31:cd:cc:
ba:60:40:08:9e:3c:38:5d:19:94:fd:2c:be:6d:84:57:d4:ea:
7f:54:a7:69:73:aa:37:a4:b8:81:21:0c:65:dc:f1:f6:a3:40:
d1:18:cf:04:a4:d6:8b:9a:1f:43:c2:67:4a:0e:8d:00:b7:e8:
49:e3:b7:d5:f9:00:0f:98:32:b2:09:5e:ca:c0:44:37:dc:df:
3b:57:e0:c2:5a:8a:79:0d:55:7a:4a:73:4a:24:64:27:e5:16:
78:d4:c9:35:5e:f8:67:9c:e9:41:bd:c6:25:6b:1b:d7:03:c1:
af:64:d0:e3:0a:ea:58:a4:bc:3a:a4:8f:51:8d:33:58:ed:ba:
af:3d:b7:75:28:32:33:76:65:80:56:ae:ec:43:db:9e:7e:4b:
74:f5:88:07:9f:2d:e8:74:f1:89:d1:af:52:34:07:52:f3:54:
2f:60:fd:de:96:f6:00:67:2e:8f:10:23:e6:af:95:bf:a6:3c:
61:0d:8c:24:47:cf:52:45:0f:96:ee:ca:3a:69:82:69:3b:20:
87:06:5c:58
-----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIGAUwZZ+oFMA0GCSqGSIb3DQEBBQUAMB0xDjAMBgNVBAMM
BVdlYklEMQswCQYDVQQKDAJ7fTAeFw0xNTAzMTQxNzM5NDJaFw0xOTAzMTMxNzQ5
NDJaMBwxGjAYBgNVBC4TEWhlbnJ5QGJibGZpc2gubmV0MIIBIDALBgkqhkiG9w0B
AQEDggEPADCCAQoCggEBANq50elB9vhaCGMWnQ22Mo0dShWnHf/j1PTQh1KlL7FF
TXNY5KXs81AeOSS8AlLzAEsLshoNa2TKBT8PvLWlTsk+vi3JuR5MQyuCeITEzCrY
oQK0bSogF79F2dTIilZNQgI0SEobLkRtu0zUOOecJGbOMQ8yd3OnedJO17YKBaYY
uYR1e5RtZ7p58uBk5q7Ti9ZVnOf8lQJyCCPVbbHANAmTZ9fbJ7a9r9qMxINHEz9K
FGdfZ1+0hM4y32bBGjY4+oTVvmmxpvI4EV3vmw95uyXAy35KOUWaCCmx/TXA0dvd
YPnGediUFe1+pB6wL7wBb8DnksuWmMn024Qs2tW19ckCAwEAAaNqMGgwNQYDVR0R
AQH/BCswKYYnaHR0cDovL2JibGZpc2gubmV0L3Blb3BsZS9oZW5yeS9jYXJkI21l
MA4GA1UdDwEB/wQEAwIC7DAMBgNVHRMBAf8EAjAAMBEGCWCGSAGG+EIBAQQEAwIF
oDANBgkqhkiG9w0BAQUFAAOCAQEAAyU4R3Y0utoLQOp1Y5hrsAu2EYXHscSRzFyZ
pbUBJG8fjAM5gAPnUFmfsEhu5xa4t5JvMc3MumBACJ48OF0ZlP0svm2EV9Tqf1Sn
aXOqN6S4gSEMZdzx9qNA0RjPBKTWi5ofQ8JnSg6NALfoSeO31fkAD5gysgleysBE
N9zfO1fgwlqKeQ1VekpzSiRkJ+UWeNTJNV74Z5zpQb3GJWsb1wPBr2TQ4wrqWKS8
OqSPUY0zWO26rz23dSgyM3ZlgFau7EPbnn5LdPWIB58t6HTxidGvUjQHUvNUL2D9
3pb2AGcujxAj5q+Vv6Y8YQ2MJEfPUkUPlu7KOmmCaTsghwZcWA==
-----END CERTIFICATE-----
You've also completely ignored the many platform security implications, and in other fora, suggested these are not real. I'm sorry that you may not fully appreciate the inherent risks of violating the Same Origin Policy, nor may be familiar enough with the keystore APIs to recognize the intrinsic security risks. I'm trying to balance the delicate line between suggesting an argument from authority versus dropping multiple POC's for bugs you don't have visibility into. But there are multiple issues, that affect multiple platforms, that are intrinsic to the behaviours of <keygen>, and with no solutions we've found particularly acceptable or desirable yet compared to both the intent of <keygen> and the cost of implementing.
In short the MD5 in the spkac has no impact.
Those are other issues. I am trying to address issues one by one in this thread, as all the issues otherwise become completely entangled and difficult to follow.
On Fri, Sep 4, 2015 at 10:50 AM, <henry...@gmail.com> wrote:In short the MD5 in the spkac has no impact.This is not true, and I believe suggests a misunderstanding about the literature related to MD5. I don't know if it's entirely appropriate for the discussion here on blink-dev, especially when so much material on the topic is readily available.
Please could you state what you believe the attack vector relating to MD5's use in SPKAC and/or KEYGEN is. You brought this up, so it is reasonable to ask what you think it is. Subsequent discussion has shown no attack vector that compromises either identity or key material. If there is, please elaborate, or if not, let's agree that KEYGEN is not insecure.
$ md5 ~/rfc-6592.txt
MD5 (/Users/hjs/rfc-6592.txt) = 1e001b0a4d2913233714772624d91f29
I can create md5s of any string I want. For some reason the <keygen> authors added an md5 to the key request format sent to the server. But that server does nothing with that MD5 string. All that interests the server is the public key that comes in the spkac packet.
So there was a security problem when Certificate Authorities used MD5 to sign certificates.
But since in the actual usage of <keygen> the MD5 is not at all used, well there is and can be no security hole.
It's a bit of a joke, a bit like the Null Packet RFC 6592 .
MD5 is a message digest algorithm. Wether it is secure depends on what it is used for. For example if I create an MD5 of a file on my file system as a way to explain the command line tool md5, this presents no security threat
On 7 Sep 2015, at 22:01, Ryan Sleevi <sle...@google.com> wrote:On Sun, Sep 6, 2015 at 12:57 AM, <henry...@gmail.com> wrote:MD5 is a message digest algorithm. Wether it is secure depends on what it is used for. For example if I create an MD5 of a file on my file system as a way to explain the command line tool md5, this presents no security threatHenry,Thanks for clarifying that you don't understand/appreciate the security consequences of MD5 collisions, particularly as they apply to signature schemes (such as that employed by CAs issuing certificate - *or* SPKAC certifying keys) or to message digests (allowing multiple messages to result in the same MD5)
I don't believe it's germane to blink-dev@ to explain the security significance of collision resistance, given that there are two decades' worth of research readily available to MD5, and ample security literature on its significance.
I'm afraid you've entirely missed the point for concluding that the concerns of "MD5 in SPKAC" are equivalent to "MD5 in issued certificates for keys attested to via SPKAC", since they are as far as two can be.
the only attack I can think of in your given example is that, acting as
MITM, I substitute the certificate on a signed message with my false
certificate containing a different subject and then let the message
continue on its way. In this way the recipient MAY (only may, not will,
because it depends upon the signed content not containing the real
details of the sender) believe that the message came from someone other
than the real sender.
Here is where it might be useful. You submit a patent application
electronically and I, acting as a MITM, substitute your certificate with
one containing me as the subject, and the patent gets registered in my
name and not yours.
So don't abandon <keygen>, fix it.
WebCrypto Discovery API should be able to find keys there too. ie: Firefox has to give access to NSS/softoken/pkcs11 and Chrome/IE to windows keystore/keychain on OSX
BTW: couple of questions about FIDO:
- If I create keys for foo.com using a U2F compliant USB device (yubikey) on my PC and then I want to login using my mobile...shall I generate another keypair? can't I use one for all? (reverse question may apply)
- could a FIDO key be used for many domains (like eID, allowing me to auth/sign on different domains)
Thanks Ryan for bringing up below what I think are the three underlying reasons
for the move to deprecate <keygen> in html
On 11 Sep 2015, at 16:10, Ryan Sleevi <sle...@google.com> wrote:On Fri, Sep 11, 2015 at 2:59 AM, Henry Story <henry...@gmail.com> wrote:Thanks Ryan for bringing up below what I think are the three underlying reasons
for the move to deprecate <keygen> in htmlHenry,I encourage you to re-read the original thread. It is not a fair or accurate summary to suggest these are the "three underlying reasons for deprecating <keygen>"
I/royal we remain opposed to on numerous grounds (security and privacy being foremost). The Same Origin Policy is a critical piece of the Web.
It it explicitly lacks that property that makes FIDO viable for the Web, without being a security (due to forgery of shared-key attacks) or privacy (due to linkability) nightmare.
Regardless of any argument or discussion beyond that, these are neither the sole nor primary motivating factors, as was explained several times.
On a matter of basic list etiquette, please note that crossposting is considered quite rude and problematic. I have removed your cross-posts, although I do hope you can make sure to let the relevant CC'd lists know that you're summary is not correct.
Cheers.
I believe the 3 reasons mentioned above explain many of the explicitly stated reasons that launched this thread and the consequent deprecation of <keygen> in html5,
which I have had trouble understanding the basis of.
As background for people new to this thread, this follows up on a request by the HTML5 WG to deprecate <keygen> https://github.com/whatwg/html/issues/67 .
The main discussion actually seems to be occuring on the blink-dev chrome list for some reason …
On 11 Sep 2015, at 17:09, Ryan Sleevi <sle...@google.com> wrote:On Fri, Sep 11, 2015 at 8:45 AM, Henry Story <henry...@gmail.com> wrote:I believe the 3 reasons mentioned above explain many of the explicitly stated reasons that launched this thread and the consequent deprecation of <keygen> in html5,I'll be explicit, then: They really don't.The reasons for deprecation of <keygen> were provided. This isn't a meta-hidden-agenda sort of thing. It really is just that simple.
Issues: There are a number of issues with <keygen> today that make it a very incompatible part of the Web Platform.1) Microsoft IE (and now Edge) have never supported the <keygen> tag, so its cross-browser applicability is suspect. [3] Microsoft has made it clear, in no uncertain terms, they don't desire to support Keygen [4][5]2) <keygen> is unique in HTML (Javascript or otherwise) in that by design, it offers a way to persistently modify the users' operating system, by virtue of inserting keys into the keystore that affect all other applications (Safari, Chrome, Firefox when using a smart card) or all other origins (Firefox, iOS, both which use a per-application keystore)3) <keygen> itself is not implemented consistently across platforms, nor spec'd consistently. For example, Firefox ships with a number of extensions not implemented by any other browser (compare [6] to [7])
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
5) <keygen> just generates keys, and relies on application/x-x509-*-cert to install certificates. This MIME handling, unspecified but implemented by major browsers, represents yet-another-way for a website to make persistent modifications to the user system.6) Mozilla (then Netscape) quickly realized that <keygen> was inadequate back in the early 2000s, and replaced it with window.crypto.generateCRMFRequest [8], to compete with the CertEnroll/XEnroll flexibility, but recently removed support due to being Firefox only. This highlights that even at the time of introduction, <keygen> was inadequate for purpose.
Certificate and key management - which is system wide, affects all other applications and origins - is itself a fundamentally flawed premise for a browser to be involved in, nor is it required for any 'spec-following' <keygen> implementation. As the original message laid out, there's no way such a feature would have a reasonable chance of succeeding. The very premise of WebID rests on the ability to create a cross-origin super-cookie (the client cert), and the bugs filed make it clear there's a desire to reduce or eliminate the user interaction in doing so.
which I have had trouble understanding the basis of.I can understand you're still confused about the reasoning. But setting up a strawman, that you can then understand, doesn't help advance the discussion. If you're confused, it may help to simply ask questions, rather than try to present arguments.Let's also keep in mind the context. You forked this thread from a discussion specifically about WebCrypto and smartcards. While WebCrypto has certainly been brought up in the discussion of <keygen>, it's important to keep in mind that <keygen> was not being responded to - WebCrypto is. While there are similar principles, which may help further your understanding of the arguments for deprecating <keygen>, care must be taken not to naively equate the arguments as being identical or interchangeable.
I/royal we remain opposed to on numerous grounds (security and privacy being foremost). The Same Origin Policy is a critical piece of the Web.
It it explicitly lacks that property that makes FIDO viable for the Web, without being a security (due to forgery of shared-key attacks) or privacy (due to linkability) nightmare.
"I don't understand what you meant by forgery of shared key attacks. Is that related to MD5, or is it something different?"You've been singing the praises of FIDO, but it seems like that requires certificates. I understand your issue to be about certificates and privacy, is that correct? I'm not sure I understand why server certificates would be different security than client certificates - could you explain?"
On Thu, Sep 10, 2015 at 11:30 AM, <helpc...@gmail.com> wrote:WebCrypto Discovery API should be able to find keys there too. ie: Firefox has to give access to NSS/softoken/pkcs11 and Chrome/IE to windows keystore/keychain on OSXIE does not grant such access - it's never implemented <keygen>. The ActiveX object it does provide allows for full system modification, so that's hardly a good model.
And there are zero plans for WebCrypto to do this (it's deliberately out of scope of the charter), and I/royal we remain opposed to on numerous grounds (security and privacy being foremost). The Same Origin Policy is a critical piece of the Web.
BTW: couple of questions about FIDO:
- If I create keys for foo.com using a U2F compliant USB device (yubikey) on my PC and then I want to login using my mobile...shall I generate another keypair? can't I use one for all? (reverse question may apply)
- could a FIDO key be used for many domains (like eID, allowing me to auth/sign on different domains)No. And it's the fact that it explicitly lacks that property that makes FIDO viable for the Web, without being a security (due to forgery of shared-key attacks) or privacy (due to linkability) nightmare.
BTW: If this decision is already made (there's no way back, no matter how many reasons anyone give against, including timbl), it's correct to consider keygen will be removed/disabled on Chrome 47?
If MS doesn't provide this feature, is not a reason not to support it. (Otherwise Chrome shouldn't support <file multiple> until....2015? lol)
I understand SOP as a security principle, but I'm also worried about the user needing to register on each government domain to generate a keypair...one for taxes, another for work-office. another for townhall...how many keys is yubikey able to store? :PIf I understand properly, only if a National SSO is deployed, this could be "bypassed".
I still don't understand, but probably it's a lack-of-english issue.
Yes=you need a new keypair? or Yes=you can share the keypair somehow?
Anyhow, I don't yet see the problem (/reasons not) to integrate FIDO+keystore and even FIDO+X509. Could you elaborate?
Neither I see the "urgency" to deprecate <keygen>. At least, you have to admit this process has been "quite fast" and perhaps "didn't have enough public discussion" before being deprecated on WHATWG/Chrome.
BTW: If this decision is already made (there's no way back, no matter how many reasons anyone give against, including timbl), it's correct to consider keygen will be removed/disabled on Chrome 47? Help me with the maths: in 3 months? Can you give an estimated date?
While some state strongly that client side, x.509 based PKI's do not work at internet scale; they are a common beast in isolated communities. A very large percentage of the military on the western seaboard and NATO (NAVO/OTAN) uses them; there are countries where they are very widely deployed in places like hospitals, pharmacies and primary care; and lots and lots of enterprises.
I understand SOP as a security principle, but I'm also worried about the user needing to register on each government domain to generate a keypair...one for taxes, another for work-office. another for townhall...how many keys is yubikey able to store? :PIf I understand properly, only if a National SSO is deployed, this could be "bypassed".All of this is a misdirect. No national ID card is using <keygen> for enrollment in Chrome, as the functionality does not and has never existed in Chrome to let you provision national ID cards, nor will it.
There is not and has never been a way to provision smartcards via HTML in Chrome.
On Mon, Sep 14, 2015 at 2:22 AM, Dirk-Willem van Gulik <dir...@gmail.com> wrote:While some state strongly that client side, x.509 based PKI's do not work at internet scale; they are a common beast in isolated communities. A very large percentage of the military on the western seaboard and NATO (NAVO/OTAN) uses them; there are countries where they are very widely deployed in places like hospitals, pharmacies and primary care; and lots and lots of enterprises.While this is certainly true, it's also categorically true that none of these enterprises use <keygen>, because <keygen> does not allow interaction with the smart card.
What remains is internal PKIs in use without a smart card, and as such, existing systems management tools work (and work better) for this case. As you note, more mature solutions - such as Active Directory - exist to provision such devices.
I think you are going to fast there; yes; the common mode in the modern systems is indeed a smartcard; and KEYGEN has no bearing to that at all. But virtually all of these systems also need to deal with the realities of arcane devices, special cases, older kit, 'soft tokens', hardware, special exceptions where you actually want permit a clonable key under some limited settings and so on.
So, as in the enterprise, todays modern system; is tomorrows legacy system, it behoves us to keep having a lowest common denominator in our technology until we have the alternatives well established;
and think in periods of 10 years and longer.
On 14 Sep 2015, at 11:16, 'Ryan Sleevi' via blink-dev <blin...@chromium.org> wrote:On Mon, Sep 14, 2015 at 3:08 AM, Dirk-Willem van Gulik <di...@webweaving.org> wrote:So, as in the enterprise, todays modern system; is tomorrows legacy system, it behoves us to keep having a lowest common denominator in our technology until we have the alternatives well established;And we have that - via WebCrypto.
If the argument is that we need to support <keygen> itself in perpetuity, and that no amount of suitable alternatives exist (whether they be via Extensions or via alternatives), then that's not really a good state either.and think in periods of 10 years and longer.If those are the timescales you think of, then relying on a browser is not a good position :) Few platforms survive 10 years - you're either terribly insecure or you're in an entirely different position. It's not reasonable to ask the browser not to change for 10 years, when the OS underneath the browser can't even make that promise for 5 years.For example, in the past 10 years, SSL2, SSL3, and MD5 support have been removed from browsers. RC4 is on the way out shortly. Servers have had to adjust to that - and thus should be able to adjust to <keygen>. For systems and servers that cannot, alternatives exist aplenty, so the tales of doom are not really there.
On Mon, Sep 14, 2015 at 2:22 AM, Dirk-Willem van Gulik <dir...@gmail.com> wrote:While some state strongly that client side, x.509 based PKI's do not work at internet scale; they are a common beast in isolated communities. A very large percentage of the military on the western seaboard and NATO (NAVO/OTAN) uses them; there are countries where they are very widely deployed in places like hospitals, pharmacies and primary care; and lots and lots of enterprises.While this is certainly true, it's also categorically true that none of these enterprises use <keygen>, because <keygen> does not allow interaction with the smart card.
On Mon, Sep 14, 2015 at 1:04 AM, helpcrypto helpcrypto <helpc...@gmail.com> wrote:If MS doesn't provide this feature, is not a reason not to support it. (Otherwise Chrome shouldn't support <file multiple> until....2015? lol)It's one thing for a browser vendor to not support something _yet_. It's quite another to not support it and explicitly have no plans to support it and objections to it.
I understand SOP as a security principle, but I'm also worried about the user needing to register on each government domain to generate a keypair...one for taxes, another for work-office. another for townhall...how many keys is yubikey able to store? :PIf I understand properly, only if a National SSO is deployed, this could be "bypassed".All of this is a misdirect. No national ID card is using <keygen> for enrollment in Chrome, as the functionality does not and has never existed in Chrome to let you provision national ID cards, nor will it.
So it's clear that no national ID scheme - such as filing taxes and for work - will be affected.
If you have such an ID card, and you install the appropriate smart card middleware/drivers, it will just work, regardless of the handling for either application/x-x509-user-cert or <keygen>. If you need to renew your card, you have to go in person with that card, the same as you would have to do with <keygen> support today.
There is not and has never been a way to provision smartcards via HTML in Chrome.
I still don't understand, but probably it's a lack-of-english issue.
Yes=you need a new keypair? or Yes=you can share the keypair somehow?I had hoped the link would have made it clear, because in the introductory paragraph, it explains precisely that it is intended for using the same key across multiple applications (which may themselves be across multiple devices). That is, using the same key between an Android App, an iOS app, and a Web origin - provided that all three are operated by the same (logical) entity.No, you do not need a new keypair.Yes, you can share the keypair - using the steps in the link I gave.
Anyhow, I don't yet see the problem (/reasons not) to integrate FIDO+keystore and even FIDO+X509. Could you elaborate?I suspect this is a terminology issue, but the entire reason that FIDO is viable is because it's not integrated with the keystore. And there's nothing preventing a FIDO-backed key from being integrated with X.509, but FIDO intentionally and explicitly defines the format of messages that can be signed with that key (which is the only reason that FIDO is secure in a multi-origin world). So you would not be able to integrate FIDO with an arbitrary protocol (such as CMS or SCEP), since it's explicitly designed to restrict the ability of an origin to affect the overall format of messages (the origin can sign whatever they want in the unauthenticated portion, but the browser/UA will always implement a trusted wrapper that provides browser-mediated information)
Neither I see the "urgency" to deprecate <keygen>. At least, you have to admit this process has been "quite fast" and perhaps "didn't have enough public discussion" before being deprecated on WHATWG/Chrome.Some behaviours of <keygen> are going away, soon, period.
The question is, in light of these changes, what value does <keygen> itself pose at all? None.BTW: If this decision is already made (there's no way back, no matter how many reasons anyone give against, including timbl), it's correct to consider keygen will be removed/disabled on Chrome 47? Help me with the maths: in 3 months? Can you give an estimated date?You should arguably consider it deprecated now (as it was already deprecated since introduction). The only question is when and how the actual _specified_ behaviours will change.
I'll answer two of Ryan Sleevi's points.1. the one about WebCrypto being a replacement for <keygen>summary: it can't because WebCrypto is limited to same origin, and has no tie into chrome, so no ability to put the user in control
2. that keygen cannot be used to provision with an external hardware deviceWe have a video of such a thing being done on open hardware
You don't have that via WebCrypto, since WebCrypto does not allow one to create a certificatethat can be used in the keystore used by TLS to authenticate to other web sites.
At least in Spain, National ID is not populated on browser, and considering 910/2014 EU, each country has to support "all the certificates published on "european" TSLs).That is, there some certs from specific Issuers/CA that are generated/enrolled using <keygen>. We use some of them. eg: FNMT.Evenmore: Spanish eID is a pain in the ass, so most people use FNMT/other issuer/pre-shared passwords.
We are using Firefox, but I think similar implications would arise. Mozilla discussion seem to be "happening here" also.
My "real" question still remain: Why I can't store FIDO keys on NSS/browser/keystore?From this paragraph...could I use an X509 public key for the FIDO key register process? (hence sharing X509/FIDO?)
On 14 Sep 2015, at 16:28, Ryan Sleevi <sle...@google.com> wrote:On Mon, Sep 14, 2015 at 3:32 AM, Henry Story <henry...@gmail.com> wrote:I'll answer two of Ryan Sleevi's points.1. the one about WebCrypto being a replacement for <keygen>summary: it can't because WebCrypto is limited to same origin, and has no tie into chrome, so no ability to put the user in controlYou're not discussing <keygen>, you're discussing application/x-x509-user-cert then.
2. that keygen cannot be used to provision with an external hardware deviceWe have a video of such a thing being done on open hardwareThis is not and has never been possible in Chrome, so it's clearly not a necessary or required implementation feature. It's also something Chrome would never implement.
You don't have that via WebCrypto, since WebCrypto does not allow one to create a certificatethat can be used in the keystore used by TLS to authenticate to other web sites.Neither does <keygen>. <keygen> does *nothing* with certificates nor has anything to do. That's application/x-x509-user-cert. However, that handling is also going away, with no replacement, and that's never been standardized behaviour nor implemented beyond Firefox and Chrome, and incompatibly so.
However, you can still synthesize and download a PKCS#12 file, so you still have a path to import a key and a certificate into an OS store, mediated with a user interactivity requirement (of finding and executing the downloaded file, and spawning the OS interactivity). This is the same requirement imposed by Safari, so again, if the concern is interoperability, the future direction is already interoperable with Safari's implementation.
You're arguing for a preservation of functionality that was never part of <keygen>, nor specified, so you can hopefully see why that's so problematic.
You can't deny that both <keygen> and x-x509-* cert mime type handling have tie ins into the chrome. <keygen> brings up an extra field in a form, and x509 cert mime type handling shows thatthe certificate is being uploaded to the keystore.And you can't deny that webcrypto does not.
It's not helpful in a discussion to take absolute positions like this. It makes you look like a dictator, with no intent to listen to what anyone has to say. As far as I know this is an open source project,and there is a community of web users that goes beyond the browser vendors that have things to say, which it would be polite if you were to listen to them without dismissing all ideas in advance.
From my experience and others who have actually written code to use these features I'd like to disagree. We have been able to use keygen and the x-509 certificate mime types without distinction across Chrome, Opera, Firefox and Safari. In IE the code was a bit different but the logic was pretty much the same.That this was not well documented is another matter entirely. And one that Tim Berners Lee in this thread has asked to be fixed.
The problem is that you don't really want to take input from any users, be they Tim Berners Lee, people from the BBC, governmetns, hackers, etc. etc... That is not the way to run an open source project.
On 14 Sep 2015, at 18:14, Ryan Sleevi <sle...@google.com> wrote:On Mon, Sep 14, 2015 at 8:58 AM, Henry Story <henry...@gmail.com> wrote:You can't deny that both <keygen> and x-x509-* cert mime type handling have tie ins into the chrome. <keygen> brings up an extra field in a form, and x509 cert mime type handling shows thatthe certificate is being uploaded to the keystore.And you can't deny that webcrypto does not.Let me try to put it in a different way:- Can you accomplish with WebCrypto+application/x-x509-user-cert what you can with <keygen>+application/x-x509-user-cert?The answer is yes.
Elsewhere, you argue that WebCrypto is not secure, because an attacker 'might' be able to inject JS. Well, if they can inject JS, they can manipulate <keygen> (such as removing it and replacing it with a WebCrypto polyfill), so that argument doesn't hold. The server's access to the key material is limited to the step of provisioning - but it's that same step of provisioning where they're expected to use <keygen>. An evil server could remove the <keygen> tag and just use application/x-x509-user-cert as a cert+key delivery vector - or condition the user to click a PKCS#12 file - so the 'security' strengths of <keygen> do not hold up under any conceivable attack model when you actually look at the system holistically, rather than in isolation.
The next question is whether you can do what you can with WebCrypto what you can do with WebCrypto+application/x-x509-user-cert. And the answer again is "Yes" on a technical level, with the only difference being a degree of user interaction.
But here again, application/x-x509-user-cert has to change to include interactivity, so having a requirement of interaction is no different. So yes, you can do the same thing, with the same costs.It's not helpful in a discussion to take absolute positions like this. It makes you look like a dictator, with no intent to listen to what anyone has to say. As far as I know this is an open source project,and there is a community of web users that goes beyond the browser vendors that have things to say, which it would be polite if you were to listen to them without dismissing all ideas in advance.Security decisions are made to protect the security of users. When there's a conflict, our overriding concern is that of security. That's a point that seems to be repeatedly missed here - regardless of any discussion here, there are some solutions that are unacceptable from a security standpoint, and that's not negotiable. Yes, it's open-source, but there are also unacceptable lines to be crossed.
From my experience and others who have actually written code to use these features I'd like to disagree. We have been able to use keygen and the x-509 certificate mime types without distinction across Chrome, Opera, Firefox and Safari. In IE the code was a bit different but the logic was pretty much the same.That this was not well documented is another matter entirely. And one that Tim Berners Lee in this thread has asked to be fixed.This is the same group that in 2014 said <keygen> was entirely unnecessary ( https://lists.w3.org/Archives/Public/public-webid/2014Jul/0075.html ) ,
and in 2011 showed it was possible to polyfill with Javascript ( http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_7.pdf )
You're arguing for the sanctity of a feature that even your fellow developers agree is unnecessary for your use case.The problem is that you don't really want to take input from any users, be they Tim Berners Lee, people from the BBC, governmetns, hackers, etc. etc... That is not the way to run an open source project.I think that's a fairly gross mischaracterization. Your input and feedback has been taken into consideration - and your use case even before you provided feedback.We remain at an impasse, however, because you don't understand why things are changing - despite efforts to explain - and you don't want to accept you don't need it - despite acknowledging it for years. Just because the conclusion is different than what you want doesn't mean your feedback wasn't considered - but it doesn't mean that "taking feedback" will result in the desired outcome. We gather feedback, but that doesn't mean we won't take action if there's objections - it means that those objections are weighed with the other risks and costs.This is no different than the notion of "rough consensus" (whether you talk W3C or IETF). It's not that everyone needs to agree. It's that everyone needs to be heard. And I think the sheer number of replies detailing and explaining things to you should unquestionably give you the realization that you have been heard, and understood, but there remains disagreement, and there hasn't been new information brought to this thread that was not considered, not since the thread started.I've tried to explain to you, in the 20+ messages on this and related threads, these concerns, so that you can understand *why* your feedback is not sufficient to meaningfully alter the discussion of considerations, precisely so that you understand you have been heard. But that's not something that can go on indefinitely - at the end of the day, work needs to be done.
On 14 Sep 2015, at 19:14, Ryan Sleevi <sle...@google.com> wrote:On Mon, Sep 14, 2015 at 8:58 AM, Henry Story <henry...@gmail.com> wrote:You can't deny that both <keygen> and x-x509-* cert mime type handling have tie ins into the chrome. <keygen> brings up an extra field in a form, and x509 cert mime type handling shows thatthe certificate is being uploaded to the keystore.And you can't deny that webcrypto does not.Let me try to put it in a different way:
- Can you accomplish with WebCrypto+application/x-x509-user-cert what you can with <keygen>+application/x-x509-user-cert?
As far as I know application/x-x509-user-cert do not come with private keys.
So, if the evil JS generated an application/x-x509-user-cert it would not have been able to placethe private key in the browser's favorite keychain, so that certificate would be of no use.
yes, that's what is important since the legal principle we need to abide by is that of user control.See the tag finding on Unsanctioned Web Tracking that makes the importance of this concept
You mean using public keys across origins? One can actually do that with WebCrypto
Kingsley Idehen meant that one can write plugins to fix the flaws of browsers. That is a workaround rather than a solution.
I hope you'll agree that using Flash is not a good answer.
SOP is a technical tool that is important in providing certain guarantees, but it doesnot answer all the issues of security and control that are legal requirements.
Perhaps you can help me with the question I asked on the TAG here where I discuss an interestinguse of WebCrypto for distributed authentication
As you see we are very keen to learn. It would help if instead of forcing deprecation of a well knownfeature we had time to work out if WebCrypto actually allowed us to replace the functionality you say it allows us to.
I.e. where entity A can issue a client cert against a private key that is (only) in a browser (lets limit this to soft tokens for now); and that entity B can rely on. And with the only ‘out of band’, collusion or coordination between A and B being some cert higher up in the chain A used when it issued & signed.