The Keygen element has been around since the Netscape days. It works in Firefox, Opera and Safari but Not in Internet Explorer. Being an official part of HTML5 means that this will be available in IE9 or will it?
Here is a description of what the keygen element does. I believe this is from the old Netscape docs at the now defunct developer.netscape.com.
The public key and challenge string are DER encoded as PublicKeyAndChallenge and then digitally signed with the private key to produce a SignedPublicKeyAndChallenge. The SignedPublicKeyAndChallenge is base64 encoded, and the ASCII data is finally submitted to the server as the value of a name-value pair, where the name is specified by the NAME attribute of the KEYGEN tag.”
If crypto’s not part of your skill set, suffice it to say that it gives your browser the ability to generate a public/private key pair that allows you to use certificates with secure servers that make it very difficult for someone else’s browser to pretend they are your browser and access the stuff you are trying to keep secure.
I was trying different HTML5 tags in the Internet Explorer Platform Preview 3 and when I got to the keygen element, it did not work. I endeavored to find out if it was to be included in the near future.
It took me awhile but I found a pretty good answer in the HTMLWG mailing list archives at http://lists.w3.org/Archives/Public/public-html/2009Sep/0043.html
The post is from last September (2009) and is by Adrian Bateman a program manager in Microsoft’s Internet Explorer group who is working on getting HTML5 into IE and doing a very good job of it so far. His post is a response to the same question I am asking. Is IE going to support the keygen element as defined in the HTML5 spec? Here is his answer.
Here are some of the limitations with <keygen>:
1. <keygen> typically requires the user to select the appropriate key length from a list. Most users are not equipped to make this decision. In general, the server should be able to indicate what type of key pair it wants including acceptable key length, algorithm, etc. For example, RSA 512 may not be something a bank wants to deal with. <keygen> doesn’t support this.
2. Creating the key pair (with <keygen>) and then having a certificate returned from the server to be installed on the client appear to the user as two separate actions. This is a poor user experience and there is no way to avoid this with <keygen>. A better approach would have the key submission and certificate response integrated into the same control.
3. <keygen> does not provide a mechanism for managing certificate expiry. This forces the user to repeat the initial key creation process whenever certificates expire.
4. The format used by <keygen> is not standard and only provides a subset of already established protocols like PKCS10 (http://tools.ietf.org/html/rfc2986), CMC (http://tools.ietf.org/html/rfc5272), and CRMF (http://tools.ietf.org/html/rfc4211). This prevents <keygen> from supporting non-RSA based certificates, extensions for additional client information, and key escrow.
These deficiencies mean that browser vendors have introduced alternative mechanisms for managing certificate enrolment.
Given these issues with <keygen> we think that requiring support in order to be a conforming HTML 5 user agent is problematic. At the very least, we believe that <keygen> should be marked as obsolete in the spec. We would prefer that this was removed from the HTML 5 spec and documented elsewhere if necessary. <keygen> only supports part of the old Netscape protocol – the rest of the process isn’t documented in the spec.
It is extremely unlikely that Microsoft will ever implement support for <keygen> – we do not believe it provides value for our customers. We are prepared to consider creating common APIs that allow interoperability across browsers and also address customers’ real needs either in a future version of the spec or as a separate work item.”
The answer satisfies my curiosity. The arguments for and against supporting the keygen element both seem reasonable. Proponents of HTML5 want the full spec supported by all browsers. It’s better for developers and more importantly, it is better for the users. Microsoft already has a system for browser crypto that is richer than keygen and more importantly, entrenched and working in many large systems which they would be crazy to tinker with for the sake of adding keygen support to IE. No keygen element for IE.