I have some questions, to which I was unable to find answers for in the (numerous and long) threads on this subject.
1. When we download and install a client cert, what checking do we do? Do we insist upon it meeting the same algorithm requirements we have for servers with respect to use of things like short RSA keys and weak hashes (MD5/SHA-1)? 2. What is the potential scope of use for a client certificate? Global? The origin that provided it? Something in-between like domain or domain plus subdomains? I'll go and dig around in the code if I have to, but if someone has the answers readily available, or wants to do the rummaging for me, that would be much appreciated. On Wed, Jul 29, 2015 at 4:35 PM, David Keeler <dkee...@mozilla.com> wrote: > [cc'd to dev-security for visibility. This discussion is intended to > happen on dev-platform; please reply to that list.] > > Ryan Sleevi recently announced the pre-intention to deprecate and > eventually remove support for the <keygen> element and special-case > handling of the application/x-x509-*-cert MIME types from the blink > platform (i.e. Chrome). > > Rather than reiterate his detailed analysis, I'll refer to the post here: > > https://groups.google.com/a/chromium.org/d/msg/blink-dev/pX5NbX0Xack/kmHsyMGJZAMJ > > Much, if not all, of that reasoning applies to gecko as well. > Furthermore, it would be a considerable architectural improvement if > gecko were to remove these features (particularly with respect to e10s). > Additionally, if they were removed from blink, the compatibility impact > of removing them from gecko would be lessened. > > I therefore propose we follow suit and begin the process of deprecating > and removing these features. The intention of this post is to begin a > discussion to determine the feasibility of doing so. > > Cheers, > David > > > _______________________________________________ > dev-security mailing list > dev-secur...@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
