On 9/27/2013 5:51 PM, Robert Relyea wrote:
I don't have a problem with going for an industry standard way of doing all of these things, but it's certainly pretty presumptuous to remove these features without supplying the industry standard replacements and time for them to filter through the internet. bob
I agree with Bob Relyea's assessment.Many arguments have been advanced for why generateCRMFRequest, PKCS #11 smart card events, and other crypto features should *not* be removed, and I agree with them. In brief: if you have a better and more standardized way of doing things, then invent it and propagate it first before removing functionality that people depend upon for their livelihoods. We have an web app internally that listens to smart card events. There are many other web apps that you may not see on the "Web Platform" that still use this functionality--they just do not participate in these types of forums.
In addition, it would be a great shame to remove this set of APIs from Firefox because the Mozilla platform itself uses them for chrome-privileged purposes. If you search "smartcard-insert", for example:
http://mxr.mozilla.org/mozilla-central/search?string=smartcard-insertyou will see that the Certificate Manager and the Device Manager use this event (and "smartcard-remove") to refresh themselves. So even if you remove these events from the webpage, you cannot remove them from Firefox. Our Firefox extension makes use of these events (in addition to the other APIs) so that would directly impact us as well.
It is one thing to remove the <blink> tag, which most users have found annoying or harmful (epilepsy). Removing crypto functionality in contrast impacts critical security functionality for many users.
The Internet is made good when people can use it to do productive work. Removing functionality that is used by vendors and users for no reason other than "purity" is unproductive and costly. By the logic of "purity", XMLHttpRequest should have been removed a long time ago because it was an IE-proprietary feature. The "open web" is an ecosystem of server-side and client-side technologies where everyone can innovate by introducing new things. If it's a useful feature, you can copy it. Removing things (that do not harm security) from the ecosystem goes in the wrong direction.
Sean
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
