Re: extension of Web Cryptography API to include curve25519 and 448 from Daniel Veditz on 2019-12-11 (public-webappsec@w3.org from December 2019)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 10 Dec 2019 19:49:26 -0800
To: Ilya Chesnokov <ilya.chesnokov@protonmail.com>, Wendy Seltzer <wseltzer@w3.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, "d.huigens@protonmail.com" <d.huigens@protonmail.com>
Message-ID: <CADYDTCASTD3tHkBKrJ7EC2imrHSQSvSLmkmQwh55__m7rtovTg@mail.gmail.com>

That seems like a reasonable proposal but updating the Web Crypto API seems
outside the scope of this group's charter.

Wendy: Where should we direct this request? The API was defined in the Web
Crypto WG, closed since 2017. A note on their w3.org page said that
maintenance of the Web Crypto spec would be carried on in the Web Security
Interest Group, which closed in October. Would this fit in the Web
Authentication group, or is their scope limited to that one specification?

-Dan Veditz

On Tue, Dec 10, 2019 at 1:49 AM Ilya Chesnokov <
ilya.chesnokov@protonmail.com> wrote:

> Hello, members of web app security group.
>
> My name is Ilya Chesnokov and I represent Proton Technologies AG - the
> company behind Protonmail, the world's largest encrypted email provider.
> Our company is interested in enhancing the web cryptography specification (
> https://www.w3.org/TR/WebCryptoAPI/) to include curve25519 and curve448.
> For the former curve, there exists a written proposal, albeit incomplete
> https://github.com/trevp/curve25519_webcrypto. Also, there was a formal
> voting with most votes against this; the main reason was that these curves
> were not included in the CFRG or TLS standards (an example vote is here
> https://lists.w3.org/Archives/Public/public-webcrypto/2014Aug/0107.html).
>
> Now both curves are included in CFRG standard
> https://tools.ietf.org/html/rfc7748 and in the TLS draft
> https://tools.ietf.org/html/draft-ietf-tls-curve25519-01, therefore, it
> seems that including these curves now in the web crypto API is a reasonable
> choice.
>
> Proton technologies is interested in writing necessary specification,
> since it will advance our openpgp implementation (working draft of the spec
> with curve 25519 is here
> https://tools.ietf.org/html/draft-koch-openpgp-rfc4880bis-02). This mail
> is intended to gauge interest in including curve 25519 and curve 448 to web
> crypto api, all replies are welcome.
>
> Best regards Ilya Chesnokov
>
> Sent with ProtonMail <https://protonmail.com> Secure Email.
>
>

Received on Wednesday, 11 December 2019 03:49:47 UTC