PKI support in W3C's HTML5

Yes, I know that PKIX is only targeting ASN.1-based stuff related to PKI. However, there may be a few PKIX subscribers out there who have interests in things that affect the use of these ASN.1 structures as well :-)

W3C has recently adopted WHATWG's HTML5 work which in addition to extended content support also incorporates Netscape's <keygen> in the plot.

I have since long time back claimed that <keygen> is insufficient since it doesn't enable issuers to define:

- anything related to PIN-codes
- anything related to key-strength (it is unilaterally set by the user)

In addition, there is no "algorithm agility" support.

Apparently Microsoft also have doubts about the viability of <keygen>:
http://lists.w3.org/Archives/Public/public-html/2009Aug/0389.html

Is a "<keygen>" facility important? For PCs probably not (smart cards are distributed physically), but for mobile phones there is hardly any alternative since SIM-cards are constrained by operators, while $200+ external card readers probably don't fit on-line banking and similar consumer activities:
http://na.blackberry.com/eng/ataglance/security/products/smartcardreader
SD-cards is another possibility but are much more complex to get running than schemes based on on-bard storage of credentials because form factors vary and there is still no generally accepted interface between PKI-cards and operating systems making interoperability a true nightmare not to mention the distribution of third-party middleware to consumers.

So what's missing? A "<keygen>" addressing everything from ease-of-use to algorithm agility, as well as supporting security-enhancing additions to CPUs like TI's "TrustZone" and Intel's "TXT".

Where would such scheme be defined? It appears that there are no standards bodies catering for "neutral" mobile phone security solutions; they are usually biased towards mobile phone operators, largely ignoring the obvious:

"On the Internet anybody can be an operator of something"

Standards (de-facto or real), should of course be designed accordingly.

Note: For enterprises there are as shown some [quite pricy] solutions supporting a limited set of platforms; what I'm referring to are the more than 3 BILLION consumers equipped with mobile phones. Since the mobile phone is quickly becoming our closest link to the Internet, this is a pretty interesting area.