Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
[1] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[2] https://wiki.mozilla.org/CA:Certificate_Download_Specification
Motivation
History: <keygen> was an early development by Mozilla to explore certificate provisioning. Originally Firefox exclusive, it was adopted by several mobile platforms (notably, Nokia and Blackberry), along with support for the certificate installation mime-types. During the First Browser Wars, Microsoft provided an alternative, via ActiveX, called CertEnroll/XEnroll. When iOS appeared on the scene, <keygen> got a boost, as being the initial way to do certificate provisioning, and along with it brought support into Safari. It was then retro-spec'd into the HTML spec.
Issues: There are a number of issues with <keygen> today that make it a very incompatible part of the Web Platform.
1) Microsoft IE (and now Edge) have never supported the <keygen> tag, so its cross-browser applicability is suspect. [3] Microsoft has made it clear, in no uncertain terms, they don't desire to support Keygen [4][5]
2) <keygen> is unique in HTML (Javascript or otherwise) in that by design, it offers a way to persistently modify the users' operating system, by virtue of inserting keys into the keystore that affect all other applications (Safari, Chrome, Firefox when using a smart card) or all other origins (Firefox, iOS, both which use a per-application keystore)
3) <keygen> itself is not implemented consistently across platforms, nor spec'd consistently. For example, Firefox ships with a number of extensions not implemented by any other browser (compare [6] to [7])
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
5) <keygen> just generates keys, and relies on application/x-x509-*-cert to install certificates. This MIME handling, unspecified but implemented by major browsers, represents yet-another-way for a website to make persistent modifications to the user system.
6) Mozilla (then Netscape) quickly realized that <keygen> was inadequate back in the early 2000s, and replaced it with window.crypto.generateCRMFRequest [8], to compete with the CertEnroll/XEnroll flexibility, but recently removed support due to being Firefox only. This highlights that even at the time of introduction, <keygen> was inadequate for purpose.
[3] https://connect.microsoft.com/IE/feedback/details/793734/ie11-feature-request-support-for-keygen
[4] https://lists.w3.org/Archives/Public/public-html/2009Sep/0153.html
[5] https://blog.whatwg.org/this-week-in-html5-episode-35
[6] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
[7] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[8] https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto/generateCRMFRequest
Compatibility Risk
While there is no doubt that <keygen> remains used in the wild, both the use counters [9] and Google's own crawler indicate that it's use is extremely minimal. Given that Mozilla implements a version different than the HTML spec, and given that Microsoft has made it clear they have no desire to implement, the compatibility risk is believed to be low in practice.
Mozilla is also exploring whether or not to remove support for the application/x-x509-*-cert types [10], but has not yet (to my knowledge) discussed <keygen> support - either aligning with the (much more limited) spec, extending the spec with the Mozilla-specific extensions, or removing support entirely.
On the application/x-x509-*-cert support, there is a wide gap of interoperability. Chrome does not support multiple certificates, but Firefox does. Firefox will further reorder certificates that are inconsistent with what was specified, offering a non-standard behaviour. Chrome does not support application/x-x509-ca-cert on Desktop, and on Android, defers to the platform capabilities, which further diverge from Firefox. Both browsers have the underspecified behaviour of requiring the user having a matching key a-priori, except that's not detailed as to how it works. Firefox also handles various mis-encodings (improper DER, DER when it should be base64), which Chrome later implemented, but is not well specified.
[9] https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
[10] https://bugzilla.mozilla.org/show_bug.cgi?id=1024871
Alternative implementation suggestion for web developers
The primary use cases for <keygen>, from our investigations, appear to be tied to one of two use cases:
- Enterprise device management, for which on-device management capabilities (Group Policies, MDM profiles, etc) represent a far more appropriate path. That is, you would not expect a web page to be able to configure a VPN or a users proxy, so too should you not expect a webpage to configure a user's system key store.
- CA certificate enrollment, for which a variety of alternatives exist (e.g. integrated to the web server, CA specific-tools such as SSLMate or protocols such as Let's Encrypt, etc). Here again, it does not seem reasonable to expect your web browser to configure your native e-mail client (such as for S/MIME)
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
On some level, this removal will remove support for arbitrarily adding keys to the users' device-wide store, which is an intentional, by-design behaviour.
While a use case exists for provisioning TLS client certificates for authentication, such a use case is inherently user-hostile for usability, and represents an authentication scheme that does not work well for the web. An alternative means for addressing this use case is to employ the work of the FIDO Alliance [12], which has strong positive signals from Microsoft and Google (both in the WG), is already supported via extensions in Chrome [13], with Mozilla evaluating support via similar means [14]. This offers a more meaningful way to offer strong, non-phishable authentication, in a manner that is more privacy preserving, offers a better user experience, better standards support, and more robust security capabilities.
[11] https://developer.chrome.com/extensions/enterprise_platformKeys
[12] https://fidoalliance.org/
[14] https://bugzilla.mozilla.org/show_bug.cgi?id=1065729
Usage information from UseCounter
https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
Based on data seen from Google crawler (unfortunately, not public), the number of sites believed to be affected is comically low.
OWP launch tracking bug
https://code.google.com/p/chromium/issues/detail?id=514767
Entry on the feature dashboard
https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
Requesting approval to remove too?
No
Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
[1] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[2] https://wiki.mozilla.org/CA:Certificate_Download_Specification
Motivation
History: <keygen> was an early development by Mozilla to explore certificate provisioning. Originally Firefox exclusive, it was adopted by several mobile platforms (notably, Nokia and Blackberry), along with support for the certificate installation mime-types. During the First Browser Wars, Microsoft provided an alternative, via ActiveX, called CertEnroll/XEnroll. When iOS appeared on the scene, <keygen> got a boost, as being the initial way to do certificate provisioning, and along with it brought support into Safari. It was then retro-spec'd into the HTML spec.
Issues: There are a number of issues with <keygen> today that make it a very incompatible part of the Web Platform.
1) Microsoft IE (and now Edge) have never supported the <keygen> tag, so its cross-browser applicability is suspect. [3] Microsoft has made it clear, in no uncertain terms, they don't desire to support Keygen [4][5]
2) <keygen> is unique in HTML (Javascript or otherwise) in that by design, it offers a way to persistently modify the users' operating system, by virtue of inserting keys into the keystore that affect all other applications (Safari, Chrome, Firefox when using a smart card) or all other origins (Firefox, iOS, both which use a per-application keystore)
3) <keygen> itself is not implemented consistently across platforms, nor spec'd consistently. For example, Firefox ships with a number of extensions not implemented by any other browser (compare [6] to [7])
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
5) <keygen> just generates keys, and relies on application/x-x509-*-cert to install certificates. This MIME handling, unspecified but implemented by major browsers, represents yet-another-way for a website to make persistent modifications to the user system.
6) Mozilla (then Netscape) quickly realized that <keygen> was inadequate back in the early 2000s, and replaced it with window.crypto.generateCRMFRequest [8], to compete with the CertEnroll/XEnroll flexibility, but recently removed support due to being Firefox only. This highlights that even at the time of introduction, <keygen> was inadequate for purpose.
[3] https://connect.microsoft.com/IE/feedback/details/793734/ie11-feature-request-support-for-keygen
[4] https://lists.w3.org/Archives/Public/public-html/2009Sep/0153.html
[5] https://blog.whatwg.org/this-week-in-html5-episode-35
[6] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
[7] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[8] https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto/generateCRMFRequest
Compatibility Risk
While there is no doubt that <keygen> remains used in the wild, both the use counters [9] and Google's own crawler indicate that it's use is extremely minimal.
Given that Mozilla implements a version different than the HTML spec, and given that Microsoft has made it clear they have no desire to implement, the compatibility risk is believed to be low in practice.
Mozilla is also exploring whether or not to remove support for the application/x-x509-*-cert types [10], but has not yet (to my knowledge) discussed <keygen> support - either aligning with the (much more limited) spec, extending the spec with the Mozilla-specific extensions, or removing support entirely.
On the application/x-x509-*-cert support, there is a wide gap of interoperability. Chrome does not support multiple certificates, but Firefox does. Firefox will further reorder certificates that are inconsistent with what was specified, offering a non-standard behaviour. Chrome does not support application/x-x509-ca-cert on Desktop, and on Android, defers to the platform capabilities, which further diverge from Firefox. Both browsers have the underspecified behaviour of requiring the user having a matching key a-priori, except that's not detailed as to how it works. Firefox also handles various mis-encodings (improper DER, DER when it should be base64), which Chrome later implemented, but is not well specified.
[9] https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
[10] https://bugzilla.mozilla.org/show_bug.cgi?id=1024871
Alternative implementation suggestion for web developers
The primary use cases for <keygen>, from our investigations, appear to be tied to one of two use cases:
- Enterprise device management, for which on-device management capabilities (Group Policies, MDM profiles, etc) represent a far more appropriate path. That is, you would not expect a web page to be able to configure a VPN or a users proxy, so too should you not expect a webpage to configure a user's system key store.
- CA certificate enrollment, for which a variety of alternatives exist (e.g. integrated to the web server, CA specific-tools such as SSLMate or protocols such as Let's Encrypt, etc). Here again, it does not seem reasonable to expect your web browser to configure your native e-mail client (such as for S/MIME)
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
- CA certificate enrollment, for which a variety of alternatives exist (e.g. integrated to the web server, CA specific-tools such as SSLMate or protocols such as Let's Encrypt, etc). Here again, it does not seem reasonable to expect your web browser to configure your native e-mail client (such as for S/MIME)
This argument seems week. We absolutely allow browsers to do things like register for protocol handlers.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
On Jul 29, 2015 3:42 AM, <kai.e...@gmail.com> wrote:
>
> Does WebCrypto offer any way to guarantee that the client side private key will never leave the client computer?
>
extractable=false, but I doubt that is the level you're trying to get.
It only guarantees that the browser won't export it - naturally, the browser can't make any guarantees about other software on the machine, and it is intentional and by-design that WebCrypto does not expose any smart card access whatsoever (to do so is fundamentally insecure, and long-term privacy hostile)
On Jul 30, 2015 8:43 AM, "David Benjamin" <davi...@chromium.org> wrote:
>
>
> Does our implementation of <keygen> give you smartcard access anyway?
No
> In theory one could render <keygen> as a more complex widget that selects what token/whatever to put the key on, but I don't think we do more than the dropdown. I would think it just uses the default software key store everywhere.
Correct.
On Jul 30, 2015 7:42 AM, <melvinc...@gmail.com> wrote:
>
>
> -1 KEYGEN is in use.
>
> This move will be severely detrimental several grass roots communities, such as the WebID community.
>
> [1] https://www.w3.org/community/webid/participants
>
This comment doesn't really address any of the technical concerns raised. WebID has repeatedly demonstrated a willingness to appropriate ill-suited technology, and has readily acknowledged that no browser implements the desired functionality for WebID to be successful.
WebID is still nascent, and readily admits it won't work with Edge. An alternative would be for WebID to proceed with standards that are actually widely used and have a viable chance at being usable - such as WebCrypto.
But it seems odd to hold a feature that was never fit to purpose nor working as desired hostage for experimental activity in a CG.
On Jul 31, 2015 1:44 AM, <henry...@gmail.com> wrote:
>
> As I understand WebCrypto ( the JS libraries ) do not allow the chrome to ask the user to select the keys. This is probably due to the fact that JS is too powerful a language to be able to correctly constrain what is done, breaking the rule of least power [1]. Currently TLS client certificate selection is the only way to allow the user to select a key and use it.
No, this is not correct. You can create keys for your origin, store them, and have full control over the UI.
What you don't get is to use those keys for TLS client auth, and that's a good thing, because TLS client auth simply doesn't work for the web at scale.
> As I understand web crypto requires the private keys generated to be downloaded into the local storage of the browser. Due to entirely reasonable security restrictions of the browser the private key can from that storage only be used for that one origin ( which means that it can still be misused by any JS that is downloaded to a web site! ) That restriction removes many of the uses of public key cryptography that would allow one to strengthen the security of the web. Furthermore storing private keys in local storage seems a lot less secure than storing it encrypted in a keychain that is either tied to the browser like Netscape or tied the OS.
<keygen> is never speced to behave as you describe. That it does is simply a matter of emulating Netscape's original behaviour, but as noted earlier, even those that emulate the behaviour do so inconsistently.
For example, using <keygen> on iOS in a webview doesn't affect the Safari keychain - as apps can't write into that.
>
> So I don't see that WebCrypto has proved itself yet as a substitute for client side certificates.
Correct, because it intentionally is not trying to offer a 1:1 emulation of client certificates, because they're a horrible and broken technology for the web at large (e.g. outside niche enterprise use cases). This is a fundamental flaw that WebID has been struggling with, without solution or adoption, for over for years.
However, alternatives exist - both via WebCrypto (as clearly demonstrated by Mozilla's past efforts through Persona) and via FIDO (as clearly demonstrated by Google, Microsoft, and others) - that offer more meaningful, usable, robust alternatives.
> As for wether WebID can work with Edge ( Microsoft Edge? ) or not I don't think we have yet looked at it. Why would it not work there?
Please read my original message, detailing the varying incompatibilities with <keygen>.
None of these are new to the WebID folks - nor has there been any traction whatsoever on the pet features the WebID CG have deemed essential to WebID (such as TLS logout). The hope is that WebID will, after the considerable time spent as a CG, realize there are alternative technical solutions that offer the same fundamental properties in more usable, more widely supported ways, without relying on the esoteric incompatible behaviours of browsers (as it does today, for example, TLS logout).
On Jul 31, 2015 1:44 AM, <henry...@gmail.com> wrote:
>
> As I understand WebCrypto ( the JS libraries ) do not allow the chrome to ask the user to select the keys. This is probably due to the fact that JS is too powerful a language to be able to correctly constrain what is done, breaking the rule of least power [1]. Currently TLS client certificate selection is the only way to allow the user to select a key and use it.No, this is not correct. You can create keys for your origin, store them, and have full control over the UI.
What you don't get is to use those keys for TLS client auth, and that's a good thing, because TLS client auth simply doesn't work for the web at scale.
> As I understand web crypto requires the private keys generated to be downloaded into the local storage of the browser. Due to entirely reasonable security restrictions of the browser the private key can from that storage only be used for that one origin ( which means that it can still be misused by any JS that is downloaded to a web site! ) That restriction removes many of the uses of public key cryptography that would allow one to strengthen the security of the web. Furthermore storing private keys in local storage seems a lot less secure than storing it encrypted in a keychain that is either tied to the browser like Netscape or tied the OS.
<keygen> is never speced to behave as you describe. That it does is simply a matter of emulating Netscape's original behaviour, but as noted earlier, even those that emulate the behaviour do so inconsistently.
For example, using <keygen> on iOS in a webview doesn't affect the Safari keychain - as apps can't write into that.
>
> So I don't see that WebCrypto has proved itself yet as a substitute for client side certificates.Correct, because it intentionally is not trying to offer a 1:1 emulation of client certificates, because they're a horrible and broken technology for the web at large (e.g. outside niche enterprise use cases). This is a fundamental flaw that WebID has been struggling with, without solution or adoption, for over for years.
However, alternatives exist - both via WebCrypto (as clearly demonstrated by Mozilla's past efforts through Persona) and via FIDO (as clearly demonstrated by Google, Microsoft, and others) - that offer more meaningful, usable, robust alternatives.
> As for wether WebID can work with Edge ( Microsoft Edge? ) or not I don't think we have yet looked at it. Why would it not work there?
Please read my original message, detailing the varying incompatibilities with <keygen>.
None of these are new to the WebID folks - nor has there been any traction whatsoever on the pet features the WebID CG have deemed essential to WebID (such as TLS logout). The hope is that WebID will, after the considerable time spent as a CG, realize there are alternative technical solutions that offer the same fundamental properties in more usable, more widely supported ways, without relying on the esoteric incompatible behaviours of browsers (as it does today, for example, TLS logout).
On Jul 31, 2015 3:23 AM, <henry...@gmail.com> wrote:
>
> It does if you use it the way the WebID-TLS spec specifies it:
> http://www.w3.org/2005/Incubator/webid/spec/
>
I think we will just have to agree to disagree here. As it relates to UX, as it relates to interactions with users' antivirus, as it relates to other devices and form factors, WebID-TLS is irreparably flawed. WebID-TLS advocates - such as yourself - should find this as no surprise. You (the CG) have lamented about 'bugs' (things working as designed) that hold it back.
As it relates to the browser, WebID-TLS merely appropriates the nearest technology, poorly, and with a number of problems. But finding a way to solve WebID-TLS isn't entirely germane to this discussion, and I've offered copious constructive feedback over the years of these efforts to try to assist you. Unfortunately, I think it's best to simply note that you disagree, but given that viable technical alternatives exist, that disagreement is by no means reason to keep a non-interoperable, problematic, insecure-by-design API around.
> So you admit that you want to remove a feature that cannot be emulated by other technologies. Why not instead first try to see if your favorite technology meets the use case that WebID tries to address, and then when it does a case can be made for deprecating other technologies. For the moment your attempt is too hasty.
I have provided you constructive feedback for over four years on advising you about the inherent flaws of the design. It is neither reasonable nor polite to suggest that I spend another year, or more, offering much of the same feedback, which will simply be ignored not because it is insufficient for your needs, but because you're change averse.
> You did not answer my concerns about JS crypto:
> * requires private keys to be served on the users local storage in a non secure manner
No different than <keygen>
> * is open to be read by any JS from the same origin, which is extreemly difficult to control, and as a result creates very difficult to enforce limitations of JS on web servers
If you can't control same-origin scripts, you have lost the game. Security game over.
> * is thefore open to fishing attacks
This isn't how phishing works. The same-origin policy gives you greater protection, not less.
> * suffers from all of the JS security issues
> For example logout could easily be solved by browsers by making that capability visible in the chrome. Proposals for that have been made: it's just requires some UI innovtaion. This issue will pop up any other way you try to do things, which is why the Web Crypto folks still cannot do the right thing.
>
I spent several years detailing to you in excruciating detail why this is technically flawed and fundamentally incompatible with how the web, TLS, and servers work. I seriously doubt you will take heed this time, but there is no doubt I've made extensive good faith effort at providing actionable technical solutions.
I hope you can understand my frustration that, despite years of providing technical feedback, WebID continues to insist on a broken model.
I can appreciate deprecating <keygen> will break the academic, experimental concept that is WebID. However, suitable technical alternatives do exist, if the WebID CG were to invest in the technical work, so this really falls on WebID. It's also clear that 'no' (for some value of 'no' that is nearly non-existent) users are actually using WebID, which again is consistent with the four+ years of the CG trying to promote WebID-TLS, so even the impact of WebID needing to readjust the design is exceedingly minimal.
My hope is that you'll take the time to evaluate the many messages I've sent in the past on this, as well as the ample feedback to the non-bugs, as I doubt there is anything more I can offer you in conversation on this thread beyond what has been said. When I wrote this message, I was and am very familiar with the WebID work, on a deep technical level, and I still stand by every bit that I said in the original message arguing for the deprecation in spite of this.
On Jul 31, 2015 3:23 AM, <henry...@gmail.com> wrote:
>
> It does if you use it the way the WebID-TLS spec specifies it:
> http://www.w3.org/2005/Incubator/webid/spec/
>I think we will just have to agree to disagree here. As it relates to UX, as it relates to interactions with users' antivirus, as it relates to other devices and form factors, WebID-TLS is irreparably flawed. WebID-TLS advocates - such as yourself - should find this as no surprise. You (the CG) have lamented about 'bugs' (things working as designed) that hold it back.
As it relates to the browser, WebID-TLS merely appropriates the nearest technology, poorly, and with a number of problems. But finding a way to solve WebID-TLS isn't entirely germane to this discussion, and I've offered copious constructive feedback over the years of these efforts to try to assist you. Unfortunately, I think it's best to simply note that you disagree, but given that viable technical alternatives exist, that disagreement is by no means reason to keep a non-interoperable, problematic, insecure-by-design API around.
> So you admit that you want to remove a feature that cannot be emulated by other technologies. Why not instead first try to see if your favorite technology meets the use case that WebID tries to address, and then when it does a case can be made for deprecating other technologies. For the moment your attempt is too hasty.
I have provided you constructive feedback for over four years on advising you about the inherent flaws of the design. It is neither reasonable nor polite to suggest that I spend another year, or more, offering much of the same feedback, which will simply be ignored not because it is insufficient for your needs, but because you're change averse.
> You did not answer my concerns about JS crypto:
> * requires private keys to be served on the users local storage in a non secure mannerNo different than <keygen>
> * is open to be read by any JS from the same origin, which is extreemly difficult to control, and as a result creates very difficult to enforce limitations of JS on web servers
If you can't control same-origin scripts, you have lost the game. Security game over.
> * is thefore open to fishing attacks
This isn't how phishing works. The same-origin policy gives you greater protection, not less.
> * suffers from all of the JS security issues
> For example logout could easily be solved by browsers by making that capability visible in the chrome. Proposals for that have been made: it's just requires some UI innovtaion. This issue will pop up any other way you try to do things, which is why the Web Crypto folks still cannot do the right thing.
>I spent several years detailing to you in excruciating detail why this is technically flawed and fundamentally incompatible with how the web, TLS, and servers work. I seriously doubt you will take heed this time, but there is no doubt I've made extensive good faith effort at providing actionable technical solutions.
On Friday, 31 July 2015 11:33:21 UTC+2, Ryan Sleevi wrote:
On Jul 31, 2015 1:44 AM, <henry...@gmail.com> wrote:
>
> As I understand WebCrypto ( the JS libraries ) do not allow the chrome to ask the user to select the keys. This is probably due to the fact that JS is too powerful a language to be able to correctly constrain what is done, breaking the rule of least power [1]. Currently TLS client certificate selection is the only way to allow the user to select a key and use it.No, this is not correct. You can create keys for your origin, store them, and have full control over the UI.
What you don't get is to use those keys for TLS client auth, and that's a good thing, because TLS client auth simply doesn't work for the web at scale.
It does if you use it the way the WebID-TLS spec specifies it:This allows you to use one certificate to authenticate to all servers. WebCrypto as you admit does not do that.
Primary eng (and PM) emails
Summary
This is an intent to deprecate, with the goal of eventually removing, support for the <keygen> element [1], along with support for special handling for the application/x-x509-user-cert [2].
This is a pre-intent, to see if there are any show-stopping use cases or compatibility risks that have hitherto been unconsidered.
[1] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[2] https://wiki.mozilla.org/CA:Certificate_Download_Specification
Motivation
History: <keygen> was an early development by Mozilla to explore certificate provisioning. Originally Firefox exclusive, it was adopted by several mobile platforms (notably, Nokia and Blackberry), along with support for the certificate installation mime-types. During the First Browser Wars, Microsoft provided an alternative, via ActiveX, called CertEnroll/XEnroll. When iOS appeared on the scene, <keygen> got a boost, as being the initial way to do certificate provisioning, and along with it brought support into Safari. It was then retro-spec'd into the HTML spec.
Issues: There are a number of issues with <keygen> today that make it a very incompatible part of the Web Platform.
1) Microsoft IE (and now Edge) have never supported the <keygen> tag, so its cross-browser applicability is suspect. [3] Microsoft has made it clear, in no uncertain terms, they don't desire to support Keygen [4][5]
2) <keygen> is unique in HTML (Javascript or otherwise) in that by design, it offers a way to persistently modify the users' operating system, by virtue of inserting keys into the keystore that affect all other applications (Safari, Chrome, Firefox when using a smart card) or all other origins (Firefox, iOS, both which use a per-application keystore)
3) <keygen> itself is not implemented consistently across platforms, nor spec'd consistently. For example, Firefox ships with a number of extensions not implemented by any other browser (compare [6] to [7])
4) <keygen> itself is problematically and incompatibly insecure - requiring the use of MD5 in a signing algorithm as part of the SPKAC generated. This can't easily be changed w/o breaking compatibility with UAs.
5) <keygen> just generates keys, and relies on application/x-x509-*-cert to install certificates. This MIME handling, unspecified but implemented by major browsers, represents yet-another-way for a website to make persistent modifications to the user system.
6) Mozilla (then Netscape) quickly realized that <keygen> was inadequate back in the early 2000s, and replaced it with window.crypto.generateCRMFRequest [8], to compete with the CertEnroll/XEnroll flexibility, but recently removed support due to being Firefox only. This highlights that even at the time of introduction, <keygen> was inadequate for purpose.
[3] https://connect.microsoft.com/IE/feedback/details/793734/ie11-feature-request-support-for-keygen
[4] https://lists.w3.org/Archives/Public/public-html/2009Sep/0153.html
[5] https://blog.whatwg.org/this-week-in-html5-episode-35
[6] https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen
[7] https://html.spec.whatwg.org/multipage/forms.html#the-keygen-element
[8] https://developer.mozilla.org/en-US/docs/Archive/Mozilla/JavaScript_crypto/generateCRMFRequest
Compatibility Risk
While there is no doubt that <keygen> remains used in the wild, both the use counters [9] and Google's own crawler indicate that it's use is extremely minimal. Given that Mozilla implements a version different than the HTML spec, and given that Microsoft has made it clear they have no desire to implement, the compatibility risk is believed to be low in practice.
Mozilla is also exploring whether or not to remove support for the application/x-x509-*-cert types [10], but has not yet (to my knowledge) discussed <keygen> support - either aligning with the (much more limited) spec, extending the spec with the Mozilla-specific extensions, or removing support entirely.
On the application/x-x509-*-cert support, there is a wide gap of interoperability. Chrome does not support multiple certificates, but Firefox does. Firefox will further reorder certificates that are inconsistent with what was specified, offering a non-standard behaviour. Chrome does not support application/x-x509-ca-cert on Desktop, and on Android, defers to the platform capabilities, which further diverge from Firefox. Both browsers have the underspecified behaviour of requiring the user having a matching key a-priori, except that's not detailed as to how it works. Firefox also handles various mis-encodings (improper DER, DER when it should be base64), which Chrome later implemented, but is not well specified.
[9] https://www.chromestatus.com/metrics/feature/popularity#HTMLKeygenElement
[10] https://bugzilla.mozilla.org/show_bug.cgi?id=1024871
Alternative implementation suggestion for web developers
The primary use cases for <keygen>, from our investigations, appear to be tied to one of two use cases:
- Enterprise device management, for which on-device management capabilities (Group Policies, MDM profiles, etc) represent a far more appropriate path. That is, you would not expect a web page to be able to configure a VPN or a users proxy, so too should you not expect a webpage to configure a user's system key store.
- CA certificate enrollment, for which a variety of alternatives exist (e.g. integrated to the web server, CA specific-tools such as SSLMate or protocols such as Let's Encrypt, etc). Here again, it does not seem reasonable to expect your web browser to configure your native e-mail client (such as for S/MIME)
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
On some level, this removal will remove support for arbitrarily adding keys to the users' device-wide store, which is an intentional, by-design behavior.
While a use case exists for provisioning TLS client certificates for authentication, such a use case is inherently user-hostile for usability,
and represents an authentication scheme that does not work well for the web.
An alternative means for addressing this use case is to employ the work of the FIDO Alliance [12], which has strong positive signals from Microsoft and Google (both in the WG), is already supported via extensions in Chrome [13], with Mozilla evaluating support via similar means [14]. This offers a more meaningful way to offer strong, non-phishable authentication, in a manner that is more privacy preserving, offers a better user experience, better standards support, and more robust security capabilities.
Alternative implementation suggestion for web developers
Within the browser space, alternatives exist such as:
- Use the device's native management capabilities if an enterprise use case. On Windows, this is Group Policy. On iOS/Android, this is the mobile device management suites. On OS X, this is Enterprise settings. On ChromeOS, there is chrome.enterprise.platformKeys [11] for enterprise-managed extensions.
- Use WebCrypto to implement certificate enrollment, then deliver the certificate and (exported) private key in an appropriate format for the platform (such as PKCS#7) and allow the native OS UI to guide users through installation of certificates and keys.
If you want to criticize webid, then you have to say what they should do to get the same effect under the same constraints.
Supporting that process on all platforms would be a major a major pain. (It becomes temping on the open platforms to just give the users an app to fix the whole thing, do certificate management, properly).
You suggest that the things that webid developers have described as 'bugs' you feel is 'working as intended'.... hmmm.
On Fri, Jul 31, 2015 at 2:16 PM, <01234567...@gmail.com> wrote:If you want to criticize webid, then you have to say what they should do to get the same effect under the same constraints.Not when the desired effect is unreasonable. The point is to show comparable solutions exist, with reasonable tradeoffs. There's not an incumbent demand to show there's a 100% functionally equivalent solution, because the functionality itself is problematic and flawed by design.
Supporting that process on all platforms would be a major a major pain. (It becomes temping on the open platforms to just give the users an app to fix the whole thing, do certificate management, properly).This is exactly what I said in the original message, and which you acknowledge has a very important adjective there - "properly".Systems management is not the realm of the browser. You should not have functionality that, say, allows arbitrary websites to configure your Wifi. I say this knowing full well that there are a tremendous number of interesting and exciting things you could do if such a functionality existed. Similarly, your browser should not be the vector for VPN management, despite their being exciting and compelling things you could do.Certificate and key management - which is system wide, affects all other applications and origins - is itself a fundamentally flawed premise for a browser to be involved in, nor is it required for any 'spec-following' <keygen> implementation. As the original message laid out, there's no way such a feature would have a reasonable chance of succeeding. The very premise of WebID rests on the ability to create a cross-origin super-cookie (the client cert), and the bugs filed make it clear there's a desire to reduce or eliminate the user interaction in doing so.
You suggest that the things that webid developers have described as 'bugs' you feel is 'working as intended'.... hmmm.Yes. They are. I've explained at great length to your fellow WebID CG members, during discussions in the WebCrypto WG, on the Chromium tracker, in private emails, and at W3C TPACs and F2Fs, how several of the fundamental requirements of WebID are, at a protocol level, incompatible with how the Web works.
Regardless of your feelings towards WebID, which I fully acknowledge that after several years of effort, I'm unlikely to dissuade any members of the technical folly, let's go back to first principles.Should an arbitrary website be able to make persistent modification to your device, that affects all applications, without user interaction? (As implemented today in several browsers?). The answer is immediately and obviously no.
What tools exist to mitigate this concern? As browser operators, we have two choices:1) Only allow the origin to affect that origin.2) Defer the decision to the user, hoping they're sufficiently aware and informed of the risks and implications.1) is entirely viable if <keygen> were kept around, but it would entirely eliminate the value proposition of <keygen> from those arguing for it being kept (both on this thread and the similar Mozilla thread - https://groups.google.com/d/msg/mozilla.dev.platform/pAUG2VQ6xfQ/FKX63BwOIwAJ ). So we can quickly rule that out as causing the same concerns.
2) is not a viable pattern. You yourself have commented on past threads on encouraging TLS adoption what you view of the complexity involved in certificate management, and these are challenges being faced by populations with a modicum of technical background (web developers, server operators, the like). Surely you can see these challenges - and concepts - of key management and hygiene are well beyond the ken of the average user. But let's assume we could draft some perfect language to communicate to the user, what would we need to communicate?"If you continue, this website may be able prevent your machine from accessing the Internet?""If you continue, this website may be able to allow arbitrary parties to intercept all of your secure communications?"
Is that a reasonable permission to grant? No, absolutely not. But that's what <keygen> - and the related application/x-x509-*-cert - rely on. That itself is a fundamental problem, and one which is not at all reasonable to ask.
I do hope you can re-read my original message and see the many, fundamental, by-design issues with <keygen>. It's existence was to compete with a Microsoft-developed ActiveX system management control intended for internal networks only, and whose inception predated even the modern extension systems now used for management of Mozilla Firefox. I don't deny that you've found utility in the fact that something insecure, and broken by design, has been exposed to the Web, but that's not itself an argument for its continuation. Given the risks, it's also not reasonable to suggest that the feature be held hostage by a small minority of developers, with virtually non-existent group of users, until they can be convinced of technical alternatives. Somewhere, there has to be a split as to what represents a reasonable part of the Web platform - and what represents an artifact of the heady, but terribly insecure, days of the First Browser Wars and the pursuit of vendor-lockin.
1) Firefox at least until recently had its own keychain, so it did not affect all other apps. So your statement is not true for all browsers
3) It would be easy to improve the user interface to allow the user to view and inspect the certificate before accepting it. The user could for example add a small nick name to the certificate to identify it more easily. I can think of a lot of other improvements that would massively improve the UI. (I am available for consultation to help out there)
4) The certificates added allow the user to authenticate to other sites, they were not certifiate authority certificates ( IF a browser automatically added that there would be justified global outcry). These client certificates do not influence the security of the web.
5) Your argument would apply just as well for adding passwords to the keychain too. I don't think many people would be convinced that that was a great problem. I myself find that feature really nice by the way. It allows me to move between Safari and Chrome from time to time ( and to Firefox with an addon ), without having to add all the passwords back again. The reason I never used Opera was the fact that I could never extract passwords again from their keychain. I did not want to invest in a browser that did not give me the freedom to switch later.
You have not provided an argument here based on first principles. If you had it would not be so easy to show how minor improvements to the UI could change the situation. I think your problem here is that you are so focused on the crypto or the lower layers that you fail to take into account the dimensions closer to the user that involve psychology, artistic design, etc...Of course if you don't take those dimensions into account I can see how you can come to the conclusion that your argument is fail safe.
yes, a keygen that would create a certificate that allowed you to log in to one site only would not be very interesting. Kind of defeating the whole point of asymmetric crypto.
This would only be the case if the browser allowed Certificate Authority level certificates to be installed. But the browsers usually have 3 different levels of certificates which go into different boxes that are isolated: user certificates, user installed CA certificates and browser CA installed certificates.
yes, but it is a straw man, as I don't think any browser automatically would allow CA based certificates to be added.
From the above I don't get the feeling that you really understand how the certificate systems work. What am I missing here?
On Fri, Jul 31, 2015 at 3:40 PM, <henry...@gmail.com> wrote:1) Firefox at least until recently had its own keychain, so it did not affect all other apps. So your statement is not true for all browsersI never said it was.3) It would be easy to improve the user interface to allow the user to view and inspect the certificate before accepting it. The user could for example add a small nick name to the certificate to identify it more easily. I can think of a lot of other improvements that would massively improve the UI. (I am available for consultation to help out there)While generous, I already demonstrated why this is a fundamentally flawed argument.
4) The certificates added allow the user to authenticate to other sites, they were not certifiate authority certificates ( IF a browser automatically added that there would be justified global outcry). These client certificates do not influence the security of the web.This is factually wrong, as responded to below.
5) Your argument would apply just as well for adding passwords to the keychain too. I don't think many people would be convinced that that was a great problem. I myself find that feature really nice by the way. It allows me to move between Safari and Chrome from time to time ( and to Firefox with an addon ), without having to add all the passwords back again. The reason I never used Opera was the fact that I could never extract passwords again from their keychain. I did not want to invest in a browser that did not give me the freedom to switch later.Yes, and we no longer do. So that's also consistent :)
You have not provided an argument here based on first principles. If you had it would not be so easy to show how minor improvements to the UI could change the situation. I think your problem here is that you are so focused on the crypto or the lower layers that you fail to take into account the dimensions closer to the user that involve psychology, artistic design, etc...Of course if you don't take those dimensions into account I can see how you can come to the conclusion that your argument is fail safe.While I appreciate your concern about what I am and am not thinking about, you will find that the very message you were replying to was focused very much on these. My past replies to you, in the WebCrypto WG (and WebCrypto CG) and on the bugs you have filed have also provided ample evidence why it's not a UI issue, but a technical one. It's clear I won't be able to convince you of that any further, but I do want to highlight the very real disagreement with your assertions.
yes, a keygen that would create a certificate that allowed you to log in to one site only would not be very interesting. Kind of defeating the whole point of asymmetric crypto.This is a statement that makes no sense. It defeats the point of _your_ goal, but it's perfectly consistent with asymmetric crypto. There is no requirement for multi-party exchanges in public/private keypairs.
This would only be the case if the browser allowed Certificate Authority level certificates to be installed. But the browsers usually have 3 different levels of certificates which go into different boxes that are isolated: user certificates, user installed CA certificates and browser CA installed certificates.Sorry Henry, but this isn't the case.Let me make it absolutely clear, although I stated as much in the original message: Installing client certificates is a risky and dangerous operation that can break the ability for a user to securely browse the web. This is true for ALL platforms I'm concerned about (e.g. all the platforms on Chrome). I cannot make this more abundantly obvious, but the sheer act of installing a client certificate is a _dangerous_ operation, and one on which the entire premise of WebID is balanced.
yes, but it is a straw man, as I don't think any browser automatically would allow CA based certificates to be added.No, you're ignoring what I wrote in the original message. Through simple use of <keygen> - without any certificates - I can break users devices. Full stop.
Now you can argue it's a "bug" that needs fixing - and I agree, the fact that a <keygen> tag can do this IS quite unfortunate AND well known (although not by the WebID folks, it would seem). But the question is whether or not there is anything worth saving in <keygen> in the face of bugs like this - and the many other reasons I outlined in the original message - and the answer is increasingly "No".
From the above I don't get the feeling that you really understand how the certificate systems work. What am I missing here?Thanks for the vote of confidence. This will be my last reply, as I've yet again been suckered into making a good faith attempt to explain to you the issues.
[snip]
On Tue, Jul 28, 2015 at 1:47 PM, David Benjamin <davi...@chromium.org> wrote:
[snip]
This is allowing a website to inject a certificate and key pair into the global key store for use *by* your native email client. Now, this is also not thaaaat uncommon of an inter-application integration point, but it's one whose ramifications are extremely unclear. And the way it is done with <keygen> is pretty horrific. Websites can spam the key store with persistent private keys, all of which are orphaned and useless. Only a week later, when the CA has approved your certificate request, does the key then get bound to a certificate and become usable. But, even then, we can either do it without prompting (and now my store is further spammed) or we can do it with a prompt that no user will understand ("would you like to add this certificate to your certificate store?").
That's a stronger argument and one that resonates with me.
It's just a bad mechanism all around. A much much better mechanism would be, as Ryan describes below, for the enrollment application to construct a PKCS#12 bundle (or some other format) with both key and certificate and then we pass that bundle off somewhere to import as one unit. Before the two halves are correlated, storage of the private key is the enrollment application's responsibility and falls under the isolation and other policies of any other web application storage.