| Intent to unship: <keygen> | Jonathan Kingston | 14/06/19 03:24 ص | <keygen> has been removed in Chrome since version 56 in Jan 2017 and never
was implemented in Internet Explorer or Edge. The element has also been removed from the HTML specification: https://github.com/w3c/html/issues/43 Firefox's implementation never matched the specification completely as the parser changed the elements into a select with some hacks to make it work: https://bugzilla.mozilla.org/show_bug.cgi?id=101019 The element didn't have clear usage numbers and also the user experience wasn't clear at all (The firefox implementation was a select box with "high grade" and "medium grade" options). It also poses a privacy risk as another fingerprint vector. Most of the use cases are resolved by web crypto or u2f. With code that was unmaintained for many years in Firefox it poses a unique risk into nss and also including a DoS vector against the parent process. The removal implementation is to change the parser to behave similar to other void elements but also behave like HTMLUnknownElement. The appropriate web platform tests that were put in place by Chrome developers are now conforming to their implementation. Keygen will be removed from Firefox 69. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1315460 Note: This is a post-hoc unship notice, this wasn't intentional I thought I had already filed when I worked on this initially. Thanks Jonathan |
| Re: Intent to unship: <keygen> | Henri Sivonen | 14/06/19 04:02 ص | On Fri, Jun 14, 2019 at 1:24 PM Jonathan Kingston <j...@mozilla.com> wrote:Thanks for the removal. Do we have enterprise Web developer-facing documentation on 1) how TLS client cert enrollment should work now or 2) if there is no in-browser client cert enrollment path anymore, what concretely should be used instead? (To be clear: I'm not a fan of client certs, and I'm not requesting that there be an enrollment path.) -- Henri Sivonen hsiv...@mozilla.com |
| Re: Intent to unship: <keygen> | Jonathan Kingston | 14/06/19 04:23 ص | Client certificates are manually importable in about:preferences > Privacy
& security > View Certificates > import Not much has changed since this article: https://www.jscape.com/blog/firefox-client-certificate however we should improve our support articles before this lands in release. > _______________________________________________ > dev-platform mailing list > dev-pl...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > |
| Re: Intent to unship: <keygen> | Boris Zbarsky | 14/06/19 07:21 ص | On 6/14/19 7:02 AM, Henri Sivonen wrote:For what it's worth, the one case I am familiar with (MIT) has a native app you run to manage your keystore for non-Firefox browsers (presumably by changing the OS keystore) and uses <keygen> in Firefox. See http://kb.mit.edu/confluence/display/istcontrib/Certificates+Landing+Page#CertificatesLandingPage-GetCertificates How viable is it to extend such a native app to munge the Firefox keystore? If it is, we should probably document it... -Boris |