Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keygen tag in HTML5

Tags:

html

security

ssl

So I came across this new tag in HTML5, <keygen>. I can't quite figure out what it is for, how it is applied, and how it might affect browser behavior.

I understand that this tag is for form encryption, but what is the difference between <keygen> and having a SSL certificate for your domain. Also, what is the challenge attribute?

I'm not planning on using it as it is far from implemented in an acceptable range of browsers, but I am curious as to what EXACTLY this tag does. All I can find is vague cookie-cutter documentation with no real examples of usage.


Edit:

I have found a VERY informative document, here. This runs through both client-side and server-side implementation of the keygen tag.

I am still curious as to what the benefit of this over a domain SSL certificate would be.

like image 423
Craige Avatar asked Dec 21 '10 16:12

Craige


People also ask

Is keygen a valid HTML5 tag now?

The <keygen> element is only valid within an HTML form. It will cause some sort of selection to be presented to the user for selecting key size.

What is keygen tag used for in HTML?

The <keygen> tag in HTML is used to specify a key-pair generator field in a form. The purpose of <keygen> element is to provide a secure way to authenticate users. When a from is submitted then two keys are generated, private key and public key. The private key stored locally, and the public key is sent to the server.

What is the purpose of keygen element in HTML5 Mcq?

The keygen element represents a control for generating a public-private key pair and for submitting the public key from that key pair.


2 Answers

SSL is about "server identification" or "server AND client authentication (mutual authentication)".

In most cases only the server presents its server-certificate during the SSL handshake so that you could make sure that this really is the server you expect to connect to. In some cases the server also wants to verify that you really are the person you pretend to be. For this you need a client-certificate.

The <keygen> tag generates a public/private key pair and then creates a certificate request. This certificate request will be sent to a Certificate Authority (CA). The CA creates a certificate and sends it back to the browser. Now you are able to use this certificate for user authentication.

like image 109
duddex Avatar answered Sep 22 '22 23:09

duddex


You're missing some history. keygen was first supported by Netscape when it was still a relevant browser. IE, OTOH, supported the same use cases through its ActiveX APIs. Opera and WebKit (or even KHTML), unwilling to reverse-engineer the entire Win32 API, reverse-engineered keygen instead.

It was specified in Web Forms 2.0 (which has now been merged into the HTML specification), in order to improve interoperability between the browsers that implemented it.

Since then, the IE team has reiterated their refusal to implement keygen, and the specification (in order to avoid turning into dry science fiction) has been changed to not require an actual implementation:

Note: This specification does not specify what key types user agents are to support — it is possible for a user agent to not support any key types at all.

In short, this is not a new element, and unless you can ignore IE, it's probably not what you want.

like image 26
Ms2ger Avatar answered Sep 22 '22 23:09

Ms2ger