SPKAC

Last updated November 11, 2023

SPKAC (Signed Public Key and Challenge, also known as Netscape SPKI) is a format for sending a certificate signing request (CSR): it encodes a public key, that can be manipulated using OpenSSL.^[1] It is created using the little documented HTML keygen element^[2] inside a number of Netscape compatible browsers.

Standardisation

There exists an ongoing effort to standardise SPKAC through an Internet Draft in the Internet Engineering Task Force (IETF). The purpose of this work has been to formally define what has existed prior as a de facto standard, and to address security deficiencies, particular with respect to historic insecure use of MD5 that has since been declared unsafe for use with digital signatures as per RFC 6151.^[3]

Implementations

HTML5 originally specified the <keygen> element to support SPKAC in the browser to make it easier to create client side certificates through a web service for protocols such as WebID;^[4]^[5] however, subsequent work for HTML 5.1 placed the keygen element "at-risk", and the first public working draft of HTML 5.2 removes the keygen element entirely.^[6]^[7]^[8] The removal of the keygen element is due to non-interoperability and non-conformity from a standards perspective in addition to security concerns.^[9]

The World Wide Web Consortium (W3C) Web Authentication Working Group developed the WebAuthn (Web Authentication) API to replace the keygen element.^[10]

Bouncy Castle provides a Java class.^[11]^[12]

An implementation for Erlang/OTP exists too.^[13]

An implementation for Python is named pyspkac.^[14]

PHP OpenSSL extension as of version 5.6.0.^[15]

Node.js implementation.^[16]

Deficiencies

The user interface needs to be improved in browsers, to make it more obvious to users when a server is asking for the client certificate.^[17]

Related Research Articles

<span class="mw-page-title-main">Document Object Model</span> Convention for representing and interacting with objects in HTML, XHTML, and XML documents

The Document Object Model (DOM) is a cross-platform and language-independent interface that treats an HTML or XML document as a tree structure wherein each node is an object representing a part of the document. The DOM represents a document with a logical tree. Each branch of the tree ends in a node, and each node contains objects. DOM methods allow programmatic access to the tree; with them one can change the structure, style or content of a document. Nodes can have event handlers attached to them. Once an event is triggered, the event handlers get executed.

JavaScript, often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2023, 98.7% of websites use JavaScript on the client side for webpage behavior, often incorporating third-party libraries. All major web browsers have a dedicated JavaScript engine to execute the code on users' devices.

The HyperText Markup Language or HTML is the standard markup language for documents designed to be displayed in a web browser. It defines the meaning and structure of web content. It is often assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaScript.

An HTML element is a type of HTML document component, one of several types of HTML nodes. The first used version of HTML was written by Tim Berners-Lee in 1993 and there have since been many versions of HTML. The most commonly used version is HTML 4.01, which became official standard in December 1999. An HTML document is composed of a tree of simple HTML nodes, such as text nodes, and HTML elements, which add semantics and formatting to parts of document. Each element can have HTML attributes specified. Elements can also have content, including other elements and text.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

In the context of a web browser, a frame is a part of a web page or browser window which displays content independent of its container, with the ability to load content independently. The HTML or media elements in a frame may come from a web site distinct from the site providing the enclosing content. This practice, known as framing, is today often regarded as a violation of same-origin policy.

DOM Events are a signal that something has occurred, or is occurring, and can be triggered by user interactions or by the browser. Client-side scripting languages like JavaScript, JScript, VBScript, and Java can register various event handlers or listeners on the element nodes inside a DOM tree, such as in HTML, XHTML, XUL, and SVG documents.

XMLHttpRequest (XHR) is a JavaScript class containing methods to asynchronously transmit HTTP requests from a web browser to a web server. The methods allow a browser-based application to make a fine-grained server call and store the results in XMLHttpRequest's responseText attribute. The XMLHttpRequest class is a component of Ajax programming. Prior to Ajax, an HTML form needed to be completely sent to the server followed by a complete browser page refresh.

In computer hypertext, a URI fragment is a string of characters that refers to a resource that is subordinate to another, primary resource. The primary resource is identified by a Uniform Resource Identifier (URI), and the fragment identifier points to the subordinate resource.

In computing, the same-origin policy (SOP) is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model (DOM).

A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. For example, forms can be used to enter shipping or credit card data to order a product, or can be used to retrieve search results from a search engine.

RDFa or Resource Description Framework in Attributes is a W3C Recommendation that adds a set of attribute-level extensions to HTML, XHTML and various XML-based document types for embedding rich metadata within Web documents. The Resource Description Framework (RDF) data-model mapping enables its use for embedding RDF subject-predicate-object expressions within XHTML documents. It also enables the extraction of RDF model triples by compliant user agents.

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

HTML5 is a markup language used for structuring and presenting content on the World Wide Web. It is the fifth and final major HTML version that is a World Wide Web Consortium (W3C) recommendation. The current specification is known as the HTML Living Standard. It is maintained by the Web Hypertext Application Technology Working Group (WHATWG), a consortium of the major browser vendors.

Server-Sent Events (SSE) is a server push technology enabling a client to receive automatic updates from a server via an HTTP connection, and describes how servers can initiate data transmission towards clients once an initial client connection has been established. They are commonly used to send message updates or continuous data streams to a browser client and designed to enhance native, cross-browser streaming through a JavaScript API called EventSource, through which a client requests a particular URL in order to receive an event stream. The EventSource API is standardized as part of HTML5 by the WHATWG. The media type for SSE is text/event-stream.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

Wakanda is a JavaScript platform to develop and run web or mobile apps.

HTML5 Audio is a subject of the HTML5 specification, incorporating audio input, playback, and synthesis, as well as, in the browser. iOS

Blink is a browser engine developed as part of the Chromium project with contributions from Apple, Google, Meta, Microsoft, Opera Software, Adobe, Intel, IBM, Samsung, and others. It was first announced in April 2013.

References

↑ "Documents, spkac(1)". OpenSSL. Retrieved 5 April 2017.
↑ "Html | Mdn". Developer.mozilla.org. 15 August 2013. Retrieved 13 October 2013.
↑ "RFC 6151 – Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms". Internet Engineering Task Force. March 2011. Retrieved 11 November 2013.
↑ "HTML5 W3C Recommendation 28 October 2014. 4.10.12 The keygen element". W3C. 28 October 2014. Retrieved 17 October 2016.
↑ "WebID: creating a global decentralised authentication protocol". W3C. Retrieved 13 October 2013.
↑ Nevile, Chaals (3 June 2016). "Re: Call for Consensus - Remove <keygen> from HTML". W3C HTML Working Group (Mailing list). Retrieved 17 October 2016.
↑ "HTML5.1: CR 21 June 2016. Status of this document". W3C. 21 June 2016. Retrieved 17 October 2016.
↑ "HTML 5.2: First Public WD. Changes from HTML 5.1". W3C. 18 August 2016. Retrieved 17 October 2016.
↑ W3C Technical Architecture Group (30 November 2015). "Keygen and Client Certificates". W3C. Retrieved 17 October 2016.
↑ Halpin, Harry; Appelquist, Daniel; Mill, Eric; Gmür, Reto (31 May 2016). "Re: removing keygen from HTML". W3C WWW Technical Architecture Group (Mailing list). Retrieved 17 October 2016.
↑ "Bouncy Castle Java Documentation" . Retrieved 6 December 2013.
↑ "foaf-protocols] spkac test implementation in Java". Lists.foaf-project.org. Retrieved 13 October 2013.
↑ "ztmr/espkac @ GitHub". Github.com. Retrieved 13 October 2013.
↑ "pyspkac". Github.com. Retrieved 6 December 2013.
↑ "php 5.6.0 OpenSSL Native SPKAC support".
↑ "node.js spki support".
↑ "User tracking with SSL certificates in Firefox - The H Security: News and Features". Heise-online.co.uk. 19 September 2007. Archived from the original on 19 September 2008. Retrieved 13 October 2013.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Documents, spkac(1)". OpenSSL. Retrieved 5 April 2017.

[2] "Html | Mdn". Developer.mozilla.org. 15 August 2013. Retrieved 13 October 2013.

[3] "RFC 6151 – Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms". Internet Engineering Task Force. March 2011. Retrieved 11 November 2013.

[4] "HTML5 W3C Recommendation 28 October 2014. 4.10.12 The keygen element". W3C. 28 October 2014. Retrieved 17 October 2016.

[5] "WebID: creating a global decentralised authentication protocol". W3C. Retrieved 13 October 2013.

[6] Nevile, Chaals (3 June 2016). "Re: Call for Consensus - Remove <keygen> from HTML". W3C HTML Working Group (Mailing list). Retrieved 17 October 2016.

[7] "HTML5.1: CR 21 June 2016. Status of this document". W3C. 21 June 2016. Retrieved 17 October 2016.

[8] "HTML 5.2: First Public WD. Changes from HTML 5.1". W3C. 18 August 2016. Retrieved 17 October 2016.

[9] W3C Technical Architecture Group (30 November 2015). "Keygen and Client Certificates". W3C. Retrieved 17 October 2016.

[10] Halpin, Harry; Appelquist, Daniel; Mill, Eric; Gmür, Reto (31 May 2016). "Re: removing keygen from HTML". W3C WWW Technical Architecture Group (Mailing list). Retrieved 17 October 2016.

[11] "Bouncy Castle Java Documentation" . Retrieved 6 December 2013.

[12] "foaf-protocols] spkac test implementation in Java". Lists.foaf-project.org. Retrieved 13 October 2013.

[13] "ztmr/espkac @ GitHub". Github.com. Retrieved 13 October 2013.

[14] "pyspkac". Github.com. Retrieved 6 December 2013.

[15] "php 5.6.0 OpenSSL Native SPKAC support".

[16] "node.js spki support".

[17] "User tracking with SSL certificates in Firefox - The H Security: News and Features". Heise-online.co.uk. 19 September 2007. Archived from the original on 19 September 2008. Retrieved 13 October 2013.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]