csarven/gist:e5d190e82015f5f41b18 Secret

## gistfile1.txt
From - Fri Sep 04 15:54:32 2015
X-Mozilla-Status: 1015
X-Mozilla-Status2: 00800000
X-Mozilla-Keys: $label1
From: Sarven Capadisli <info@csarven.ca>
Subject: Re: [whatwg] deprecating <keygen>
To: whatwg@whatwg.org
References: <alpine.DEB.2.00.1509031804230.23815@ps20323.dreamhostps.com>
 <alpine.DEB.2.00.1509031804230.23815@ps20323.dreamhostps.com>
Message-ID: <55E9A297.30002@csarven.ca>
Date: Fri, 4 Sep 2015 15:54:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.00.1509031804230.23815@ps20323.dreamhostps.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

On 2015-09-03 18:21:00 +0000, Ian Hickson wrote:
> The post foolip pointed to points out that <keygen> is actually rather
> insecure (e.g. using MD5). One could argue that _keeping_ <keygen> is
> actually more harmful to asymetric-key cryptography than removing it...

I presume the information you are referring to, in which neither Philip
Jägenstedt or yourself cited is the following:

"4) <keygen> itself is problematically and incompatibly insecure -
requiring the use of MD5 in a signing algorithm as part of the SPKAC
generated. This can't easily be changed w/o breaking compatibility with
UAs" [1]. Neither did it provide citations or clarify the position.

Nevertheless, '<keygen> & "md5WithRSAEncryption"' [2] offers an
explanations with references, not to mention that it is accompanied with
code and diagram, to help clarify the misunderstanding of [1] and WHATWG.

Does that help?

[1]
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/pX5NbX0Xack/kmHsyMGJZAMJ
[2] https://github.com/whatwg/html/issues/102

-Sarven
http://csarven.ca/#i
	From - Fri Sep 04 15:54:32 2015
	X-Mozilla-Status: 1015
	X-Mozilla-Status2: 00800000
	X-Mozilla-Keys: $label1
	From: Sarven Capadisli <info@csarven.ca>
	Subject: Re: [whatwg] deprecating <keygen>
	To: whatwg@whatwg.org
	References: <alpine.DEB.2.00.1509031804230.23815@ps20323.dreamhostps.com>
	<alpine.DEB.2.00.1509031804230.23815@ps20323.dreamhostps.com>
	Message-ID: <55E9A297.30002@csarven.ca>
	Date: Fri, 4 Sep 2015 15:54:31 +0200
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.2.0
	MIME-Version: 1.0
	In-Reply-To: <alpine.DEB.2.00.1509031804230.23815@ps20323.dreamhostps.com>
	Content-Type: text/plain; charset=utf-8; format=flowed
	Content-Transfer-Encoding: 8bit

	On 2015-09-03 18:21:00 +0000, Ian Hickson wrote:
	> The post foolip pointed to points out that <keygen> is actually rather
	> insecure (e.g. using MD5). One could argue that _keeping_ <keygen> is
	> actually more harmful to asymetric-key cryptography than removing it...

	I presume the information you are referring to, in which neither Philip
	Jägenstedt or yourself cited is the following:

	"4) <keygen> itself is problematically and incompatibly insecure -
	requiring the use of MD5 in a signing algorithm as part of the SPKAC
	generated. This can't easily be changed w/o breaking compatibility with
	UAs" [1]. Neither did it provide citations or clarify the position.

	Nevertheless, '<keygen> & "md5WithRSAEncryption"' [2] offers an
	explanations with references, not to mention that it is accompanied with
	code and diagram, to help clarify the misunderstanding of [1] and WHATWG.

	Does that help?

	[1]
	https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/pX5NbX0Xack/kmHsyMGJZAMJ
	[2] https://github.com/whatwg/html/issues/102

	-Sarven
	http://csarven.ca/#i