Re: Help needed talking to upstream browser developers about Debian SSO
On Sun, October 11, 2015 20:50, Enrico Zini wrote:
> However, there is discussion in the Chrome and Mozilla communities
> about deprecating client certificate authentication. In those threads,
> I don't quite mind if <keygen> is removed, as long as there would be a
> replacement that allows the existence and growth of an ecosystem with
> shared identification, based on popular standards and easy to use and
Thanks for the heads-up. Debian is most certainly not the only one to use
client certificates for (Single) Sign On so keeping client certificates
usable is important.
Reading the threads you link, however, those indeed seem to be centered
around removal of the "<keygen>" tag, not deprecating the entire X.509
client certificate support of browsers. Basically, the point is that
enrolment should be done differently.
While we make use of that tag (e.g. in the TERENA Personal Certificate
Service that some academics may know), the browser developers may have a
point that there are other ways to implement the enrolment step. People
can generate a certificate locally with openssl or other tools, through
HTML5 or JS.
The current <keygen> tag is convenient (as it requires 8 bytes to
implement browser based certificate generation), but I'd have to
investigate these other options to see whether they are viable. I can't
conclude right now that they are unreasonable for suggesting that.
Especially for tech-savvy use cases the in-browser generation should not
be essential. So I'm not sure that Debian would have a strong point in
I'm emailing to check if indeed you're referring only to removal of the
<keygen> tag, not the entire X.509 client certificate support from
browsers. If the latter discussions are happening, I'd love a link to