Hi In our case, we use <keygen> to generate a keypair on our SSCD (smartcard) using Firefox, cause -with the PKCS#11 module configured-, it asks where to store the keys, so the user select CARD.
Using Webcrypto or other JS stuff I wont be able to populate my smartcards, so -IMHO- you should keep it as long as there's a real alternative for this kind of operations. You already removed signText and since then I cannot use "national certificates renewal" feature on Firefox (only on IE)...not with Edge or Firefox. I know a lot of colleagues with the same problem, and that's why there has been a rumble about "out of scope smartcards on Webcrypto". I could agree with you that smartcards are not intended for Web, they suck and whatever...but if you start to remove this feature, then it's time I start looking for other Job :P On Fri, Jul 31, 2015 at 1:00 PM, Hubert Kario <hka...@redhat.com> wrote: > On Thursday 30 July 2015 14:32:01 Richard Barnes wrote: > > On Thu, Jul 30, 2015 at 6:53 AM, Hubert Kario <hka...@redhat.com> wrote: > > > On Wednesday 29 July 2015 16:35:41 David Keeler wrote: > > > > [cc'd to dev-security for visibility. This discussion is intended to > > > > happen on dev-platform; please reply to that list.] > > > > > > > > Ryan Sleevi recently announced the pre-intention to deprecate and > > > > eventually remove support for the <keygen> element and special-case > > > > handling of the application/x-x509-*-cert MIME types from the blink > > > > platform (i.e. Chrome). > > > > > > > > Much, if not all, of that reasoning applies to gecko as well. > > > > Furthermore, it would be a considerable architectural improvement if > > > > gecko were to remove these features (particularly with respect to > e10s). > > > > Additionally, if they were removed from blink, the compatibility > impact > > > > of removing them from gecko would be lessened. > > > > > > > > I therefore propose we follow suit and begin the process of > deprecating > > > > and removing these features. The intention of this post is to begin a > > > > discussion to determine the feasibility of doing so. > > > > > > because pushing people to use Internet Explorer^W^W Spartan^W Edge in > > > enterprise networks is a good plan to continue loosing market share for > > > Mozilla products! /s > > > > > > lack of easy, cross-application certificate deployment is the _reason_ > for > > > low > > > rates of deployment of client certificates, but where they are > deployed, > > > they > > > are _critical_ > > > > <keygen> doesn't help you with cross-application deployment. After all, > IE > > doesn't support it. > > and how removing <keygen> makes the situation better? > > yes, Firefox doesn't deploy to system cert store (by default), but it's a > bug > in Firefox, not a feature > -- > Regards, > Hubert Kario > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
