On Jan 6, 2009, at 4:40 AM, Ian Hickson wrote:
Over the years, several people (most of them bcc'ed) have asked for
HTML5
to include a definition of <keygen>. Some have even gone as far as
finding
documentation on the element -- thank you.
As I understand it based on the documentation, <keygen> basically
generates a public/private asymmetric cryptographic key pair, and then
sends the public component as its form value.
Unfortunately, this seems completely and utterly useless, as at no
point
does there seem to be any way to ever use the private component
either for
signing or for decrypting anything, nor does there appear to be a
way to
use the certificate for authentication.
Without further information along these lines describing how to
actually
make practical use of the element, I do not intend to document
<keygen> in
the HTML5 specification. If anyone can fill in these holes that
would be
very helpful.
In the case of Safari, we store the generated private key in the
Keychain, and sites using <keygen> typically respond with a signed
certificate, which is downloaded and automatically added to the
Keychain. Depending on the valid purposes of the key, users can then
do the following automatically:
1) Browse to SSL sites that require client-side certificates for
authentication, in Safari.
2) Send email with strong authentication via a cryptographic
signature, in Mail.
3) Receive encrypted email from users who have received a copy of
their public key, in Mail.
I imagine other browsers store the private key and received signed
certificate in similar ways.
This is certainly a useful feature, and we added it at the request of
both end users and CAs.
Regards,
Maciej
