Re: [whatwg] Help us review HTML5!
Hi Havent read it all yet, but I did a search, and found nothing about the keygen element. Isnt that suposed to be in there, or do you miss documentation on it? If you are missing documentation, I will be happy to try to write something in the same format as the other tags.. Thanks Regards Lars On Fri, Apr 3, 2009 at 1:01 AM, Ian Hickson i...@hixie.ch wrote: Have you been lurking here but wanting to do more? Now that HTML5 is starting to get more stable, it's time to ramp up the review process, so if you have been waiting for a reason to jump in, here it is. Open one of the versions of the spec: One page version http://www.whatwg.org/specs/web-apps/current-work/ Multipage version http://whatwg.org/html5 A4 PDF http://www.whatwg.org/specs/web-apps/current-work/html5-a4.pdf Letter PDF http://www.whatwg.org/specs/web-apps/current-work/html5-letter.pdf ...and start reading! See below for ideas of what to look for. If you find a problem, either send an e-mail to this mailing list, or file a bug (registration required) here: http://www.w3.org/Bugs/Public/enter_bug.cgi?component=Spec%20bugsamp;priority=P3amp;product=HTML%20WGamp;rep_platform=All The plan is to see whether we can shake down the spec and get rid of all the minor problems that have so far been overlooked. Typos, confusion, cross-reference errors, as well as mistakes in examples, errors in the definitions, and major errors like security bugs or contradictions. Anyone who helps find problems in the spec -- however minor --- will get their name in the acknowledgements section. You don't really need any experience to find the simplest class of problems: things that are confusing! If you don't understand something, then that's a problem. Not all the introduction sections and examples are yet written, but if there is a section with an introduction section that isn't clear, then you've found an issue: let us know! Something else that would now be good to search for is typos, spelling errors, grammar errors, and the like. Don't hesitate to send e-mails even for minor typos, all feedback even on such small issues is very welcome. If you have a specific need as a Web designer, then try to see if the need is met. If it isn't, and you haven't discussed this need before, then send an e-mail to the list. (So for example, if you want HTML to support date picker widgets, you'd look in the spec to see if it was covered. As it turns out, that one is!) If you have some specific expertise that lets you review a particular part of the spec for correctness, then that's another thing to look for. For example if you know about graphics, then reviewing the 2D Canvas API section would be a good use of your resources. If you know about scripting, then looking at the Web browsers section would be a good use of your time. If everything goes according to plan, I will respon to all issues by October. You can track how many issues remain to be responded to here: http://www.whatwg.org/issues/data.html You are encouraged to join our IRC channel #whatwg on Freenode to stay in touch with what other people are doing, but this is by no means required. You are also encouraged to post in the Discussion section on the wiki page: http://wiki.whatwg.org/wiki/Reviewing_HTML5#Discussion ...or in the blog comments for the corresponding blog post: http://blog.whatwg.org/help-us-review-html5 ...to let people know what you are reviewing. You can get news updates by following @WHATWG on Twitter. -- Ian Hickson U+1047E )\._.,--,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] keygen
Hi I have written some documentation on this before, and I have already published it to this mailing list. You can find it at http://phpmylogin.sourceforge.net/wiki/doku.php?id=keygen_attribute if its nowhere to be found The private/public keypair generated with the keygen tag is only useful if you have configured your webserver to only allow certificates signed by your CA. I know of a few netbanks that does it this way. Its a very secure solution! If you want, I can send you some more php code of how I implemented this in one of my projects. I can also make a little test-case if that would be better.. Thanks for bringing up this subject again! Cheers Lars On Tue, Jan 6, 2009 at 1:40 PM, Ian Hickson i...@hixie.ch wrote: Over the years, several people (most of them bcc'ed) have asked for HTML5 to include a definition of keygen. Some have even gone as far as finding documentation on the element -- thank you. As I understand it based on the documentation, keygen basically generates a public/private asymmetric cryptographic key pair, and then sends the public component as its form value. Unfortunately, this seems completely and utterly useless, as at no point does there seem to be any way to ever use the private component either for signing or for decrypting anything, nor does there appear to be a way to use the certificate for authentication. Without further information along these lines describing how to actually make practical use of the element, I do not intend to document keygen in the HTML5 specification. If anyone can fill in these holes that would be very helpful. Cheers, -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] keygen element
Hi I have written a little text now which have some documentation and info about this attribute. Where should I send this, and to whom? And does anyone have any info I can add to the txt? Thanks Lars On Wed, Jul 9, 2008 at 2:32 PM, Anne van Kesteren [EMAIL PROTECTED] wrote: Hi, On Wed, 09 Jul 2008 14:19:09 +0200, Lars [EMAIL PROTECTED] wrote: Is there any hope for this element? What information does which people want to make this an HTML5 standard? It seems we have similar interests :-) I haven't gotten around to doing it, but what needs to be done is having a vast set of test cases that demonstrate how this feature is implemented today. Ideally from those testcases we can write up a proposal that can then be incorporated into HTML5. I believe this is all that is blocking the inclusion of this feature at this point. (Though it might also be delayed slightly because Web Forms 2.0 is not integrated yet, but that might happen soon.) Kind regards, -- Anne van Kesteren http://annevankesteren.nl/ http://www.opera.com/ === Intro === When you want a really strong security on the web, it's a good idea to use SSL. SSL can be used to encrypt your end to end connection to the web server, but you will need a client certificate for the possibility to verify you as who you are. The right way to get a certificate like this is for your browser to generate it! The private key should NEVER get out of the client machine. It should be generated and stored within the browser certificate store. === Background info === Netscape made an html attribute called keygen, keygen, many years ago. There seems to be almost zero documentation around about this attribute. Lots of the info you can find is old, and is missing vital info. I have looked around, and I have seen eg. netbanks using this attribute. Sites that wants this functionality without using this tag I've seen using ActiveX/JavaScript hacks, which is really not what we want from a tag that depends on security. == Why do we need this? == I'm sure that if more people knew about this attribute and how to use it, it would be used in a lot more areas. It can be used within big companies that relies on strong security for their employees when they want to access company data from the outside, example mail or administrative web tools. Internet banks can also use this. They would/should only use standarized tested technology, and currently, this attribute is not fairly standarized, nor documented. There is tools (enterprise, expensive) that can do this now; you generate your certificate inside the network, and you can access the network from the outside. However, to get this very usefull future of ssl on more places, it need to be standarized, IE needs to support it, and it needs to be more documented! === Support === Currently, all the major browser support this attribute, all of Opera, Firefox and Safari. Internet Explorer however, does not, see http://support.microsoft.com/kb/190282. === Technical info === When using the keygen attribute inside an form like this; form keygen name=pubkey challenge=randomchars input type=submit name=createcert value=Generate /form You will get a dropdown list with the browsers supported keylength and an Generate submit box on the right. When you, in this case, click generate the browser will generate a keypair, sends the public key back to the browser in the $_POST['pubkey'] or $_GET['pubkey'] variables. Example output of the data sent to the server: MIICSzCCATMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOomefX5gP Enl5le8Upm9C2g1quWXR2hdyoaC9GErvScfOERJY2qbI57y4/pxvctwuL7KPA12d ClMlGZ6b2jPPrm3iN0dY8z1NPDhRDuaTh0MziscyUNc6XycpIEIfJJLk4nV2oS2u olFhRH5SjIAslSS8rhEELcoXCCHADIlwLi1Pg7fx5Ay7rTbaErn4xqQSFZqSVjD1 pGwim0E4Eplj6Ly46I5516MEM1dWnMvlz/UdIXpxN41snbysHvznbXH4JtA7YgHj TAnYBx2Oi3MsOL39k5L+rjaoqleQgtp16b4mlC7z7Cv2mZ3RK+QovZ1PF7jM0wF+ oT7GWOjYhRFdAgMBAAEWC3JhbmRvbWNoYXJzMA0GCSqGSIb3DQEBBAUAA4IBAQB4 9HDCQzEzH05XZizs9tVjdOIgdcKQO5PjEAS53+1pnw8lP1xZBSKCgaCGn6PYolaU a+A3ra1cDojRKAkJmf1wXlbyDLU9XpaAVa8Q2WVMeA0a0NK9bFfDIzNl5fmfl+1Q he9kPnfoUpKowt1RuPXMYOEKWFhceOZqG/5cuDELYetfIvQ3Ev/EtDfi42Qdjc4c 4h97e2peYUzVXkfkQ4oiY4kIxumozsY8/Oivaeh7Lo+XfneAeShwK2toNLnio8b/ SphlZelWs7J2792sohglxe3+sJHDX6AP9ezuRdOzM1i007GKqKRibkMvhcSpOMIa HSnuMF+hE2PycyEMX2wq This is the public key in SPKAC format, see http://www.openssl.org/docs/apps/spkac.html. The server now needs to sign this key with its own certificate. But first you need to put it in one file in this format (PHP code) (the pubkey must be in one line) in the spkac file, so you need to replace the newlines first. Here is the phpcode for making the file that you later need to sign; $key = $_REQUEST['pubkey']; $keyreq = SPKAC=.str_replace(str_split( \t\n\r\0\x0B), '', $key); $keyreq .= \nCN=.$username; $keyreq .= \nemailAddress=.$CAmail; $keyreq .= \n0.OU=.$CAorg. client certificate; $keyreq .= \norganizationName=.$CAorg; $keyreq .= \ncountryName
[whatwg] keygen element
Hi I've been searching around in old mail in this mailing list to try to find this answer, but all I could find about this html element is http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2005-November/thread.html#5092, which isn't that good. I have been reading a lot of documentation about this element (at least, the documentation I could find, not much). I don't understand why this isn't an standard yet, and from what I can see, it doesn't look good for this element in HTML5 either. For those of you who doesn't know what this element is doing; Its for generating a private/public certificate keypair. The browser keeps the private one, and the server gets the public one which it signs and then sends back to the browser. This is extremely useful for secure verification. Netbanks and other heavy security sites should/are using this. I have setup a system like this, and I'm more than happy to provide info and examples of how its done. I know that the documentation on element is almost non-existing. Microsoft (IE) doesn't support this tag, but Firefox and Opera does. Microsoft have info about why here: http://support.microsoft.com/kb/190282. Is there any hope for this element? What information does which people want to make this an HTML5 standard? Thanks Lars
Re: [whatwg] keygen element
Hi This is using TLS/SSL. Example: You tell your webserver that under directory /secure/ the client must have a certificate signed by CA1. For the client to get this certificate you normally make it, sign it, and them import it to the browser. With the keygen attribute, all this is done in a clean more secure way. The browser is generating everything, sends the public key with SPKAC (http://www.openssl.org/docs/apps/spkac.html) to the server. So as you see, its not an replacement of TLS/SSL in any way. Its just a better way to do it. -- Lars On Wed, Jul 9, 2008 at 2:35 PM, Rimantas Liubertas [EMAIL PROTECTED] wrote: ... For those of you who doesn't know what this element is doing; Its for generating a private/public certificate keypair. The browser keeps the private one, and the server gets the public one which it signs and then sends back to the browser. This is extremely useful for secure verification. Netbanks and other heavy security sites should/are using this. ... Is there any hope for this element? What information does which people want to make this an HTML5 standard? Hi, how is this better than SSL/TLS? Regards, Rimantas -- http://rimantas.com/
