Re: WebCrypto - In "progress" since 2012

On 04/30/2016 12:08 AM, Anders Rundgren wrote:
> On 2016-04-30 02:02, Randall Leeds wrote:
>> Pieces of WebCrypto land in every new release of these major browsers
> > and the post you refer to is taking stock of things that are
> remaining barriers to interoperability.
>
> AFAIK, Microsoft haven't implemented WebCrypto according to the spec.
> for IE, only for Edge (which doesn't run on Win < 10) but that's just
> a minor comment.

Yes, because you don't make updates to previous versions of browsers.
You make updates to *newer* versions.
>
>>
>> Just this past week, Firefox 46, "Added HKDF support for Web Crypto
>> API <https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API>".
>>
>> From my vantage point, WebCrypto is happening.
>
> If we stick to hype and (likely) future usage, it appears that FIDO
> have taken this spot.
> Currently, the wast majority of client-side crypto-using applications
> are built on "Apps".

For good reason, but that's not WebCrypto's fault. Browser sand-boxing
is difficult.

That being said, native app TLS usage is actually terrible too, if not
more so:

https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf


>
> Is there any major applications out there relying on WebCrypto?

Signal, Crypto.cat, various Google apps. 
>
>
>> Does the progress disappoint you? Why? What's your rush?
>
>> More importantly, how is your vague complaining supposed to be in any
>> way helpful?
>>
>> What are we supposed to take away from your message?
>
> The thing I mentioned as another way forward.  It has IMO much better
> chances of getting traction because crypto without trusted UI and
> trusted storage isn't that terribly useful.
>
> These topics were either rejected or ignored by the WebCrypto WG.

For good reason. There isn't such a thing really as 'trusted UI' that
users understand and there isn't a unified thing such as 'trusted storage.'

>
> The Web Payment WG haven't mentioned WebCrypto as a possible security
> solution.

I think the above statement confuses the relationship between how these
technology stacks work. Crypto API is for low-level primitives in
Javascript, not wallets.

>
> But there's nothing to get hung about; some standards get wide-spread
> adoption, others do not.

For example, your WebPKI work to reproduce PKI in XML has, I believe,
zero adoption.

> However, I think it could be useful analyzing the outcome of every
> standards effort in order to (maybe) be better prepared for new
> endeavors!

Agreed.

>
> Anders
>
>>
>> On Fri, Apr 29, 2016 at 1:56 AM Timothy Holborn
>> <timothy.holborn@gmail.com <mailto:timothy.holborn@gmail.com>> wrote:
>>
>>     imho cryptography that is highly secure from un-intended use
>> seemed interesting yet difficult to find means to work
>> collaboratively on the stuff that would otherwise be considered 'low
>> hanging fruit'. So, when thinking about it from a modern context - i
>> also took into account quantum computing capabilities as to consider
>> meaningfully concepts surrounding the principle of 'rule of law'
>> where i noted today the following text
>>
>>     There is no single agreed definition of the rule of law. However,
>> there is a basic core definition that has near universal acceptance.
>>
>>     As Emeritus Professor Geoffrey Walker, has written in his
>> defining work on the rule of law in Australia: ‘…most of the content
>> of the rule of law can be summed up in two points:
>>
>>     (1) that the people (including, one should add, the government)
>> should be ruled by the law and obey it and
>>
>>     (2) that the law should be such that people will be able (and,
>> one should add, willing) to be guided by it.’
>>
>>     – Geoffrey de Q. Walker, The rule of law: foundation of
>> constitutional democracy, (1st Ed., 1988).
>>
>>
>>
>>     Source: http://www.ruleoflaw.org.au/principles/
>>
>>
>>     also, IMHO: It's that concept of a 'human centric web' that's
>> most difficult to discover.   Yet in consideration - the way most
>> people (who are old enough to remember) started on the web with
>> trumpet winsock[2] - not something that was packaged with the OS
>> (without going into the really old stuff...).
>>
>>     Now therefore; When considering the concept of the map [3] I've
>> been thinking about the differences or nuances between the goals of
>> building a web for documents (ie: web 1/2) and one for data ("web
>> 3").  If a 'trumpet winsock' to deal with the ID/Crypto issues were
>> produce today, what would it do and how could it be packaged?  How
>> would solve the very diverse issues that relate to the problem-domain?
>>
>>     I guess underlying it all is a need to acknowledge that decisions
>> are being made about processes that are being put into the hands of
>> various parties and pending the architectural decisions of those
>> designs; we'll end-up with different social outcomes regardless of
>> 'who wins' the more myopically definitive process  as to have
>> successfully completed the project.   Equally; i'm probably better
>> off coding rather than thinking and well, the work done here has been
>> rather awesome; so perhaps it's just my expectations that need to be
>> adjusted...  that balance between doing your best and living with
>> humility / being human.
>>
>>     I think more work needs to go into producing interoperablity with
>> SoLiD[4] solutions.  For me the process of trying to bring the two
>> worlds together seems really very daunting...
>>
>>     Tim.H
>>
>>     [1] https://en.wikipedia.org/wiki/Lattice-based_cryptography
>>     [2] http://thanksfortrumpetwinsock.com/
>>     [3] https://www.w3.org/2007/09/map/main.jpg
>>     [4] https://github.com/solid/
>>
>>
>>     On Tue, 19 Apr 2016 at 15:33 Anders Rundgren
>> <anders.rundgren.net@gmail.com
>> <mailto:anders.rundgren.net@gmail.com>> wrote:
>>
>>        
>> https://lists.w3.org/Archives/Public/public-webcrypto/2016Jan/0022.html
>>
>>         And still no interoperable standard.
>>
>>         Making it possible extending browsers through Apps seems like
>> a much easier way keeping the Web alive and kicking.
>>         Insurmountable security issues?  No, Google and Microsoft
>> have solved these in Web Payments; they just haven't shared their
>> findings with us.
>>
>>         Anders
>>
>
>

Received on Saturday, 30 April 2016 04:34:31 UTC