HTML5 Keygen Element and Internet Explorer

The Keygen element has been around since the Netscape days. It works in Firefox, Opera and Safari but Not in Internet Explorer. Being an official part of HTML5 means that this will be available in IE9 or will it?


Here is a description of what the keygen element does. I believe this is from the old Netscape docs at the now defunct developer.netscape.com.

“The KEYGEN tag facilitates the generation of key material and submission of the public key as part of an HTML form. This mechanism is designed for use in web-based certificate management systems. It displays a menu of key-size choices from which the user must choose one. Then, when the submit button is clicked, a key pair of the selected size is generated. The private key is encrypted and stored in the local key database.
The public key and challenge string are DER encoded as PublicKeyAndChallenge and then digitally signed with the private key to produce a SignedPublicKeyAndChallenge. The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally submitted to the server as the value of a name-value pair, where the name is specified by the NAME attribute of the KEYGEN tag.”

If crypto’s not part of your skill set, suffice it to say that it gives your browser the ability to generate a public/private key pair that allows you to use certificates with secure servers that make it very difficult for someone else’s browser to pretend they are your browser and access the stuff you are trying to keep secure.

I was trying different HTML5 tags in the Internet Explorer Platform Preview 3 and when I got to the keygen element, it did not work. I endeavored to find out if it was to be included in the near future.

It took me awhile but I found a pretty good answer in the HTMLWG mailing list archives at http://lists.w3.org/Archives/Public/public-html/2009Sep/0043.html

The post is from last September (2009) and is by Adrian Bateman a program manager in Microsoft’s Internet Explorer group who is working on getting HTML5 into IE and doing a very good job of it so far. His post is a response to the same question I am asking. Is IE going to support the keygen element as defined in the HTML5 spec? Here is his answer.

” The problem with <keygen> is that it fails to address the requirements that people have for certificate enrolment today. We see two main use cases for client-side certificate auth on the web today. One is some kind of web access to a financial institution like a bank or brokerage firm or to e-government sites. Another is enterprise remote access (although we commonly see the enterprise scenario handled with something like a smart card requiring offline provisioning). It’s hard to find examples of <keygen> being actively used today. Most commercial and government implementations use proprietary enrolment mechanisms often based on Java applets, Mozilla’s custom generateCRMFRequest, or Microsoft’s scriptable APIs such as CertEnroll.

Here are some of the limitations with <keygen>:

1. <keygen> typically requires the user to select the appropriate key length from a list. Most users are not equipped to make this decision. In general, the server should be able to indicate what type of key pair it wants including acceptable key length, algorithm, etc. For example, RSA 512 may not be something a bank wants to deal with. <keygen> doesn’t support this.

2. Creating the key pair (with <keygen>) and then having a certificate returned from the server to be installed on the client appear to the user as two separate actions. This is a poor user experience and there is no way to avoid this with <keygen>. A better approach would have the key submission and certificate response integrated into the same control.

3. <keygen> does not provide a mechanism for managing certificate expiry. This forces the user to repeat the initial key creation process whenever certificates expire.

4. The format used by <keygen> is not standard and only provides a subset of already established protocols like PKCS10 (http://tools.ietf.org/html/rfc2986), CMC (http://tools.ietf.org/html/rfc5272), and CRMF (http://tools.ietf.org/html/rfc4211). This prevents <keygen> from supporting non-RSA based certificates, extensions for additional client information, and key escrow.

These deficiencies mean that browser vendors have introduced alternative mechanisms for managing certificate enrolment.

Given these issues with <keygen> we think that requiring support in order to be a conforming HTML 5 user agent is problematic. At the very least, we believe that <keygen> should be marked as obsolete in the spec. We would prefer that this was removed from the HTML 5 spec and documented elsewhere if necessary. <keygen> only supports part of the old Netscape protocol – the rest of the process isn’t documented in the spec.

It is extremely unlikely that Microsoft will ever implement support for <keygen> – we do not believe it provides value for our customers. We are prepared to consider creating common APIs that allow interoperability across browsers and also address customers’ real needs either in a future version of the spec or as a separate work item.”

The answer satisfies my curiosity. The arguments for and against supporting the keygen element both seem reasonable. Proponents of HTML5 want the full spec supported by all browsers. It’s better for developers and more importantly, it is better for the users. Microsoft already has a system for browser crypto that is richer than keygen and more importantly, entrenched and working in many large systems which they would be crazy to tinker with for the sake of adding keygen support to IE. No keygen element for IE.


One Reply to “HTML5 Keygen Element and Internet Explorer”

Leave a Reply

Your email address will not be published. Required fields are marked *