W3C home > Mailing lists > Public > public-credentials@w3.org > April 2016

Re: WebCrypto - In "progress" since 2012

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 30 Apr 2016 06:08:51 +0200
To: Randall Leeds <randall.leeds@gmail.com>, Web Payments CG <public-webpayments@w3.org>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <9b3da70d-0bee-6939-d41d-5cb2f6879900@gmail.com>
On 2016-04-30 02:02, Randall Leeds wrote:
> Pieces of WebCrypto land in every new release of these major browsers
 > and the post you refer to is taking stock of things that are remaining barriers to interoperability.

AFAIK, Microsoft haven't implemented WebCrypto according to the spec. for IE, only for Edge (which doesn't run on Win < 10) but that's just a minor comment.

>
> Just this past week, Firefox 46, "Added HKDF support for Web Crypto API <https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API>".
>
> From my vantage point, WebCrypto is happening.

If we stick to hype and (likely) future usage, it appears that FIDO have taken this spot.
Currently, the wast majority of client-side crypto-using applications are built on "Apps".

Is there any major applications out there relying on WebCrypto?


> Does the progress disappoint you? Why? What's your rush?

> More importantly, how is your vague complaining supposed to be in any way helpful?
>
> What are we supposed to take away from your message?

The thing I mentioned as another way forward.  It has IMO much better chances of getting traction because crypto without trusted UI and trusted storage isn't that terribly useful.

These topics were either rejected or ignored by the WebCrypto WG.

The Web Payment WG haven't mentioned WebCrypto as a possible security solution.

But there's nothing to get hung about; some standards get wide-spread adoption, others do not.
However, I think it could be useful analyzing the outcome of every standards effort in order to (maybe) be better prepared for new endeavors!

Anders

>
> On Fri, Apr 29, 2016 at 1:56 AM Timothy Holborn <timothy.holborn@gmail.com <mailto:timothy.holborn@gmail.com>> wrote:
>
>     imho cryptography that is highly secure from un-intended use seemed interesting yet difficult to find means to work collaboratively on the stuff that would otherwise be considered 'low hanging fruit'. So, when thinking about it from a modern context - i also took into account quantum computing capabilities as to consider meaningfully concepts surrounding the principle of 'rule of law' where i noted today the following text
>
>     There is no single agreed definition of the rule of law. However, there is a basic core definition that has near universal acceptance.
>
>     As Emeritus Professor Geoffrey Walker, has written in his defining work on the rule of law in Australia: ‘…most of the content of the rule of law can be summed up in two points:
>
>     (1) that the people (including, one should add, the government) should be ruled by the law and obey it and
>
>     (2) that the law should be such that people will be able (and, one should add, willing) to be guided by it.’
>
>     – Geoffrey de Q. Walker, The rule of law: foundation of constitutional democracy, (1st Ed., 1988).
>
>
>
>     Source: http://www.ruleoflaw.org.au/principles/
>
>
>     also, IMHO: It's that concept of a 'human centric web' that's most difficult to discover.   Yet in consideration - the way most people (who are old enough to remember) started on the web with trumpet winsock[2] - not something that was packaged with the OS (without going into the really old stuff...).
>
>     Now therefore; When considering the concept of the map [3] I've been thinking about the differences or nuances between the goals of building a web for documents (ie: web 1/2) and one for data ("web 3").  If a 'trumpet winsock' to deal with the ID/Crypto issues were produce today, what would it do and how could it be packaged?  How would solve the very diverse issues that relate to the problem-domain?
>
>     I guess underlying it all is a need to acknowledge that decisions are being made about processes that are being put into the hands of various parties and pending the architectural decisions of those designs; we'll end-up with different social outcomes regardless of 'who wins' the more myopically definitive process  as to have successfully completed the project.   Equally; i'm probably better off coding rather than thinking and well, the work done here has been rather awesome; so perhaps it's just my expectations that need to be adjusted...  that balance between doing your best and living with humility / being human.
>
>     I think more work needs to go into producing interoperablity with SoLiD[4] solutions.  For me the process of trying to bring the two worlds together seems really very daunting...
>
>     Tim.H
>
>     [1] https://en.wikipedia.org/wiki/Lattice-based_cryptography
>     [2] http://thanksfortrumpetwinsock.com/
>     [3] https://www.w3.org/2007/09/map/main.jpg
>     [4] https://github.com/solid/
>
>
>     On Tue, 19 Apr 2016 at 15:33 Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>         https://lists.w3.org/Archives/Public/public-webcrypto/2016Jan/0022.html
>
>         And still no interoperable standard.
>
>         Making it possible extending browsers through Apps seems like a much easier way keeping the Web alive and kicking.
>         Insurmountable security issues?  No, Google and Microsoft have solved these in Web Payments; they just haven't shared their findings with us.
>
>         Anders
>
Received on Saturday, 30 April 2016 04:09:38 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:28 UTC