Intent to unship: <keygen>

عرض 1-4 من 4 من الرسائل
Intent to unship: <keygen> Jonathan Kingston 14/06/19 03:24 ص
<keygen> has been removed in Chrome since version 56 in Jan 2017 and never
was implemented in Internet Explorer or Edge. The element has also been
removed from the HTML specification: https://github.com/w3c/html/issues/43
Firefox's implementation never matched the specification completely as the
parser changed the elements into a select with some hacks to make it work:
https://bugzilla.mozilla.org/show_bug.cgi?id=101019

The element didn't have clear usage numbers and also the user experience
wasn't clear at all (The firefox implementation was a select box with "high
grade" and "medium grade" options). It also poses a privacy risk as another
fingerprint vector. Most of the use cases are resolved by web crypto or u2f.

With code that was unmaintained for many years in Firefox it poses a unique
risk into nss and also including a DoS vector against the parent process.

The removal implementation is to change the parser to behave similar to
other void elements but also behave like HTMLUnknownElement. The
appropriate web platform tests that were put in place by Chrome developers
are now conforming to their implementation.

Keygen will be removed from Firefox 69.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1315460

Note: This is a post-hoc unship notice, this wasn't intentional I thought I
had already filed when I worked on this initially.

Thanks
Jonathan
Re: Intent to unship: <keygen> Henri Sivonen 14/06/19 04:02 ص
On Fri, Jun 14, 2019 at 1:24 PM Jonathan Kingston <j...@mozilla.com> wrote:
> Most of the use cases are resolved by web crypto or u2f.

Thanks for the removal. Do we have enterprise Web developer-facing
documentation on 1) how TLS client cert enrollment should work now or
2) if there is no in-browser client cert enrollment path anymore, what
concretely should be used instead? (To be clear: I'm not a fan of
client certs, and I'm not requesting that there be an enrollment
path.)

--
Henri Sivonen
hsiv...@mozilla.com
Re: Intent to unship: <keygen> Jonathan Kingston 14/06/19 04:23 ص
Client certificates are manually importable in about:preferences > Privacy
& security > View Certificates > import
Not much has changed since this article:
https://www.jscape.com/blog/firefox-client-certificate however we should
improve our support articles before this lands in release.
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
Re: Intent to unship: <keygen> Boris Zbarsky 14/06/19 07:21 ص
On 6/14/19 7:02 AM, Henri Sivonen wrote:
> Thanks for the removal. Do we have enterprise Web developer-facing
> documentation on 1) how TLS client cert enrollment should work now or
> 2) if there is no in-browser client cert enrollment path anymore, what
> concretely should be used instead?

For what it's worth, the one case I am familiar with (MIT) has a native
app you run to manage your keystore for non-Firefox browsers (presumably
by changing the OS keystore) and uses <keygen> in Firefox.  See
http://kb.mit.edu/confluence/display/istcontrib/Certificates+Landing+Page#CertificatesLandingPage-GetCertificates

How viable is it to extend such a native app to munge the Firefox
keystore?  If it is, we should probably document it...

-Boris