Re: [whatwg] keygen element
On Thu, 20 Oct 2011, Martin Boßlet wrote: In 4.10.14 The keygen element: Generate an RSA key pair using the settings given by the user, if appropriate, using the md5WithRSAEncryption RSA signature algorithm (the signature algorithm with MD5 and the RSA encryption algorithm) referenced in section 2.2.1 (RSA Signature Algorithm) of RFC 3279, and defined in RFC 2313. [RFC3279] [RFC2313] Wouldn't it be better to at least recommend sha1WithRSAEncryption or better even, sha256WithRSAEncryption, given that MD5 is generally considered as broken? Probably, but that's not what browsers do. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] keygen element
From memory the goal of specing the tag is to define how it's implemented in the while so that new UAs can read the spec and implement something compatible with existing UAs, content and servers. Suggesting anything that isn't what existing UAs does runs counter to this goal. On 10/20/11, Martin Boßlet martin.boss...@googlemail.com wrote: In 4.10.14 The keygen element: Generate an RSA key pair using the settings given by the user, if appropriate, using the md5WithRSAEncryption RSA signature algorithm (the signature algorithm with MD5 and the RSA encryption algorithm) referenced in section 2.2.1 (RSA Signature Algorithm) of RFC 3279, and defined in RFC 2313. [RFC3279] [RFC2313] Wouldn't it be better to at least recommend sha1WithRSAEncryption or better even, sha256WithRSAEncryption, given that MD5 is generally considered as broken? Best regards, Martin Boßlet -- Sent from my mobile device
[whatwg] keygen element
In 4.10.14 The keygen element: Generate an RSA key pair using the settings given by the user, if appropriate, using the md5WithRSAEncryption RSA signature algorithm (the signature algorithm with MD5 and the RSA encryption algorithm) referenced in section 2.2.1 (RSA Signature Algorithm) of RFC 3279, and defined in RFC 2313. [RFC3279] [RFC2313] Wouldn't it be better to at least recommend sha1WithRSAEncryption or better even, sha256WithRSAEncryption, given that MD5 is generally considered as broken? Best regards, Martin Boßlet
Re: [whatwg] keygen element
On Mon, 14 Jul 2008, Lars wrote: I have written a little text now which have some documentation and info about this attribute. Woah, that's the most useful information I've ever seen on keygen, thanks! Where should I send this, and to whom? Sending it to this list was the right place. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] keygen element
Hi I have written a little text now which have some documentation and info about this attribute. Where should I send this, and to whom? And does anyone have any info I can add to the txt? Thanks Lars On Wed, Jul 9, 2008 at 2:32 PM, Anne van Kesteren [EMAIL PROTECTED] wrote: Hi, On Wed, 09 Jul 2008 14:19:09 +0200, Lars [EMAIL PROTECTED] wrote: Is there any hope for this element? What information does which people want to make this an HTML5 standard? It seems we have similar interests :-) I haven't gotten around to doing it, but what needs to be done is having a vast set of test cases that demonstrate how this feature is implemented today. Ideally from those testcases we can write up a proposal that can then be incorporated into HTML5. I believe this is all that is blocking the inclusion of this feature at this point. (Though it might also be delayed slightly because Web Forms 2.0 is not integrated yet, but that might happen soon.) Kind regards, -- Anne van Kesteren http://annevankesteren.nl/ http://www.opera.com/ === Intro === When you want a really strong security on the web, it's a good idea to use SSL. SSL can be used to encrypt your end to end connection to the web server, but you will need a client certificate for the possibility to verify you as who you are. The right way to get a certificate like this is for your browser to generate it! The private key should NEVER get out of the client machine. It should be generated and stored within the browser certificate store. === Background info === Netscape made an html attribute called keygen, keygen, many years ago. There seems to be almost zero documentation around about this attribute. Lots of the info you can find is old, and is missing vital info. I have looked around, and I have seen eg. netbanks using this attribute. Sites that wants this functionality without using this tag I've seen using ActiveX/JavaScript hacks, which is really not what we want from a tag that depends on security. == Why do we need this? == I'm sure that if more people knew about this attribute and how to use it, it would be used in a lot more areas. It can be used within big companies that relies on strong security for their employees when they want to access company data from the outside, example mail or administrative web tools. Internet banks can also use this. They would/should only use standarized tested technology, and currently, this attribute is not fairly standarized, nor documented. There is tools (enterprise, expensive) that can do this now; you generate your certificate inside the network, and you can access the network from the outside. However, to get this very usefull future of ssl on more places, it need to be standarized, IE needs to support it, and it needs to be more documented! === Support === Currently, all the major browser support this attribute, all of Opera, Firefox and Safari. Internet Explorer however, does not, see http://support.microsoft.com/kb/190282. === Technical info === When using the keygen attribute inside an form like this; form keygen name=pubkey challenge=randomchars input type=submit name=createcert value=Generate /form You will get a dropdown list with the browsers supported keylength and an Generate submit box on the right. When you, in this case, click generate the browser will generate a keypair, sends the public key back to the browser in the $_POST['pubkey'] or $_GET['pubkey'] variables. Example output of the data sent to the server: MIICSzCCATMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOomefX5gP Enl5le8Upm9C2g1quWXR2hdyoaC9GErvScfOERJY2qbI57y4/pxvctwuL7KPA12d ClMlGZ6b2jPPrm3iN0dY8z1NPDhRDuaTh0MziscyUNc6XycpIEIfJJLk4nV2oS2u olFhRH5SjIAslSS8rhEELcoXCCHADIlwLi1Pg7fx5Ay7rTbaErn4xqQSFZqSVjD1 pGwim0E4Eplj6Ly46I5516MEM1dWnMvlz/UdIXpxN41snbysHvznbXH4JtA7YgHj TAnYBx2Oi3MsOL39k5L+rjaoqleQgtp16b4mlC7z7Cv2mZ3RK+QovZ1PF7jM0wF+ oT7GWOjYhRFdAgMBAAEWC3JhbmRvbWNoYXJzMA0GCSqGSIb3DQEBBAUAA4IBAQB4 9HDCQzEzH05XZizs9tVjdOIgdcKQO5PjEAS53+1pnw8lP1xZBSKCgaCGn6PYolaU a+A3ra1cDojRKAkJmf1wXlbyDLU9XpaAVa8Q2WVMeA0a0NK9bFfDIzNl5fmfl+1Q he9kPnfoUpKowt1RuPXMYOEKWFhceOZqG/5cuDELYetfIvQ3Ev/EtDfi42Qdjc4c 4h97e2peYUzVXkfkQ4oiY4kIxumozsY8/Oivaeh7Lo+XfneAeShwK2toNLnio8b/ SphlZelWs7J2792sohglxe3+sJHDX6AP9ezuRdOzM1i007GKqKRibkMvhcSpOMIa HSnuMF+hE2PycyEMX2wq This is the public key in SPKAC format, see http://www.openssl.org/docs/apps/spkac.html. The server now needs to sign this key with its own certificate. But first you need to put it in one file in this format (PHP code) (the pubkey must be in one line) in the spkac file, so you need to replace the newlines first. Here is the phpcode for making the file that you later need to sign; $key = $_REQUEST['pubkey']; $keyreq = SPKAC=.str_replace(str_split( \t\n\r\0\x0B), '', $key); $keyreq .= \nCN=.$username; $keyreq .= \nemailAddress=.$CAmail; $keyreq .= \n0.OU=.$CAorg. client certificate; $keyreq .= \norganizationName=.$CAorg; $keyreq .=
Re: [whatwg] keygen element
On Mon, 14 Jul 2008 13:12:35 +0200, Lars [EMAIL PROTECTED] wrote: I have written a little text now which have some documentation and info about this attribute. Where should I send this, and to whom? And does anyone have any info I can add to the txt? It seems like a good start, however, it currently does not say too much on what the browser has to do. The document explains authors how they can make use of it. http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080714/07ea5534/attachment.txt For instance, does the browser actually check the Content-Type of the form submission response? How does it parse the response? How does the browser need to sign subsequent requests? (Now I see you need Apache configuration for various things this feature seems quite a bit more complicated than I anticipated. I knew it was important to support it, but never actually played with it so far.) -- Anne van Kesteren http://annevankesteren.nl/ http://www.opera.com/
[whatwg] keygen element
Hi I've been searching around in old mail in this mailing list to try to find this answer, but all I could find about this html element is http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2005-November/thread.html#5092, which isn't that good. I have been reading a lot of documentation about this element (at least, the documentation I could find, not much). I don't understand why this isn't an standard yet, and from what I can see, it doesn't look good for this element in HTML5 either. For those of you who doesn't know what this element is doing; Its for generating a private/public certificate keypair. The browser keeps the private one, and the server gets the public one which it signs and then sends back to the browser. This is extremely useful for secure verification. Netbanks and other heavy security sites should/are using this. I have setup a system like this, and I'm more than happy to provide info and examples of how its done. I know that the documentation on element is almost non-existing. Microsoft (IE) doesn't support this tag, but Firefox and Opera does. Microsoft have info about why here: http://support.microsoft.com/kb/190282. Is there any hope for this element? What information does which people want to make this an HTML5 standard? Thanks Lars
Re: [whatwg] keygen element
Hi, On Wed, 09 Jul 2008 14:19:09 +0200, Lars [EMAIL PROTECTED] wrote: Is there any hope for this element? What information does which people want to make this an HTML5 standard? It seems we have similar interests :-) I haven't gotten around to doing it, but what needs to be done is having a vast set of test cases that demonstrate how this feature is implemented today. Ideally from those testcases we can write up a proposal that can then be incorporated into HTML5. I believe this is all that is blocking the inclusion of this feature at this point. (Though it might also be delayed slightly because Web Forms 2.0 is not integrated yet, but that might happen soon.) Kind regards, -- Anne van Kesteren http://annevankesteren.nl/ http://www.opera.com/
Re: [whatwg] keygen element
... For those of you who doesn't know what this element is doing; Its for generating a private/public certificate keypair. The browser keeps the private one, and the server gets the public one which it signs and then sends back to the browser. This is extremely useful for secure verification. Netbanks and other heavy security sites should/are using this. ... Is there any hope for this element? What information does which people want to make this an HTML5 standard? Hi, how is this better than SSL/TLS? Regards, Rimantas -- http://rimantas.com/
Re: [whatwg] keygen element
Hi This is using TLS/SSL. Example: You tell your webserver that under directory /secure/ the client must have a certificate signed by CA1. For the client to get this certificate you normally make it, sign it, and them import it to the browser. With the keygen attribute, all this is done in a clean more secure way. The browser is generating everything, sends the public key with SPKAC (http://www.openssl.org/docs/apps/spkac.html) to the server. So as you see, its not an replacement of TLS/SSL in any way. Its just a better way to do it. -- Lars On Wed, Jul 9, 2008 at 2:35 PM, Rimantas Liubertas [EMAIL PROTECTED] wrote: ... For those of you who doesn't know what this element is doing; Its for generating a private/public certificate keypair. The browser keeps the private one, and the server gets the public one which it signs and then sends back to the browser. This is extremely useful for secure verification. Netbanks and other heavy security sites should/are using this. ... Is there any hope for this element? What information does which people want to make this an HTML5 standard? Hi, how is this better than SSL/TLS? Regards, Rimantas -- http://rimantas.com/
Re: [whatwg] keygen element
On Jul 9, 2008, at 5:19 AM, Lars wrote: Microsoft (IE) doesn't support this tag, but Firefox and Opera does. Microsoft have info about why here: http://support.microsoft.com/kb/190282. Safari also supports this element. - Maciej
Re: [whatwg] keygen element
On 14 Nov 2005 at 23:43, Ian Hickson wrote: Also, AFAIK keygen isn't in any standard but implemented in both Gecko and Opera. Something for WHATWG to standardise? keygen in general is not specified at all in WHATWG at the moment. I would be open to adding it but I have so far utterly failed to work out what it is supposed to do. If you'd like it in the specs, please send a detailed spec for it (including error handling) and if it is a good spec then I'll look into adding it at some point. I was sent a pointer to some older Netscape documentation: http://wp.netscape.com/eng/security/comm4-keygen.html -- Hallvord Reiar Michaelsen Steen http://www.hallvord.com/
Re: [whatwg] keygen element
On Sat, 26 Nov 2005, Hallvord Reiar Michaelsen Steen wrote: On 14 Nov 2005 at 23:43, Ian Hickson wrote: Also, AFAIK keygen isn't in any standard but implemented in both Gecko and Opera. Something for WHATWG to standardise? keygen in general is not specified at all in WHATWG at the moment. I would be open to adding it but I have so far utterly failed to work out what it is supposed to do. If you'd like it in the specs, please send a detailed spec for it (including error handling) and if it is a good spec then I'll look into adding it at some point. I was sent a pointer to some older Netscape documentation: http://wp.netscape.com/eng/security/comm4-keygen.html Yeah, that's all I could find as well. It isn't detailed enough. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
[whatwg] keygen element
I'd like the keygen DOM object to have a .value property, or something like that, so that the value can be read and set from JS. Also, AFAIK keygen isn't in any standard but implemented in both Gecko and Opera. Something for WHATWG to standardise? -- Hallvord Reiar Michaelsen Steen http://www.hallvord.com/
