W3C home > Mailing lists > Public > public-webcrypto-comments@w3.org > November 2012

Re: security of a client-side JS API?

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Thu, 1 Nov 2012 15:31:38 +0100
Message-ID: <CAE-+aYLpZ8-6Go0UdQAym6N6p0j4=_fAqMvxgEbkq1tR5YxQhA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "Richard L. Barnes" <rbarnes@bbn.com>, Zooko Wilcox-OHearn <zooko@leastauthority.com>, "Arthur D. Edelstein" <arthuredelstein@gmail.com>, Ryan Sleevi <sleevi@google.com>, public-webcrypto-comments@w3.org
the reason why security compliances are important is because of like this
issue.
we can not trust client user environment.
but security compliances (PCI, HIPAA, SOX...) covers much more.

personally
I'm focusing to Signed-JS and JOSE(from IETF)
this can be safeguard for this concerns.


On Thu, Nov 1, 2012 at 2:26 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> On Thu, Nov 1, 2012 at 2:13 PM, Richard L. Barnes <rbarnes@bbn.com> wrote:
> > That doesn't really help for anything non-real-time.  For example,
> offline delivery for XMPP or similar.
> >
> > There's also a fair bit of overhead involved in setting up that channel.
>
> All totally true.
>
> -Ekr
>
> >
> >
> > On Nov 1, 2012, at 11:24 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >> As Zooko says, WebRTC provides a mechanism for establishing an
> >> end-to-end cryptographically protected data channel (for those who
> >> care, SCTP over DTLS. These channels can be created and accessed by
> >> JS.
> >>
> >> In terms of implementation status, this "datachannel" functionality is
> >> available in the current Firefox Aurora build (though this it's kind
> >> of a hard-hat area) and under active development for Chromium. (Though
> >> Chrome's WebRTC implementation is generally further along).
> >>
> >> -Ekr
> >>
> >>
> >> On Thu, Nov 1, 2012 at 11:08 AM, Zooko Wilcox-OHearn
> >> <zooko@leastauthority.com> wrote:
> >>> On Wed, Oct 31, 2012 at 5:54 PM, Arthur D. Edelstein
> >>> <arthuredelstein@gmail.com> wrote:
> >>>>
> >>>> If you have any hints on who in W3C might be working on a proposal
> for an end-to-end encryption standard for the browser, I'd be very
> grateful! I haven't found it yet. :)
> >>>
> >>> I too would be very interested in this. Please let me know what you
> >>> find. The relevance to *this* working group would be that this would
> >>> be a use case which the WebCrypto API might be able to support. You
> >>> might want to start by looking at WebRTC and asking people who work on
> >>> that standard. It provides end-to-end connectivity, and I believe it
> >>> comes with a Diffie-Hellman key exchange built in. So some of the hard
> >>> parts of developing secure e2e connections are already done by WebRTC!
> >>> And, WebRTC is already pretty far along in being implemented and
> >>> deployed.
> >>>
> >>> https://en.wikipedia.org/wiki/WebRTC
> >>>
> >>> Regards,
> >>>
> >>> Zooko Wilcox-O'Hearn
> >>>
> >>> Founder, CEO, and Customer Support Rep
> >>>
> >>> https://LeastAuthority.com
> >>>
> >>
> >>
> >
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Thursday, 1 November 2012 14:32:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 1 November 2012 14:32:25 GMT