Webcrypto - project example (and issues) from Aymeric Vitte on 2012-11-15 (public-webcrypto-comments@w3.org from November 2012)

From: Aymeric Vitte <vitteaymeric@gmail.com>
Date: Thu, 15 Nov 2012 09:03:15 +0100
To: public-webcrypto-comments@w3.org
Message-ID: <50A4A1C3.9000103@gmail.com>

The draft project is here : http://www.ianonym.com, the "details" 
section are not specs but a summary, this is an extension inside the 
browser of https://github.com/Ayms/node-Tor which is a js implementation 
over node.js of the Tor project.

Assuming that the concept works (it seems to on the paper and from some 
experimentations I made), here is what is needed accessible with js 
inside the browser and the status today :

     - mix node.js Buffers and Typed Arrays --> OK, home made
     - URL parser --> OK, home made
     - HTTP parser --> OK, home made
     - self signed certificates generation (OP) --> NOK
     - certificates verification (OP) --> NOK
     - implement TLS protocol (OP, inside websockets, both client and 
server side) --> NOK
     - retrieve the certificate used for the first TLS connection 
between the page and the OP (Evil1 attack) --> NOK
     - implement Tor protocol and Tor protocol websocket extension (OP, 
inside websockets) --> OK, home made
     - Webcrypto like features (hash, encrypt, decrypt, rsa, aes, etc), 
including Tor specific ones (RSA_PKCS1_OAEP_PADDING, aes-128-ctr) --> 
NOK (or OK with Webcrypto API but when ?)

Beside the overall technical difficulty, one of the problems is not to 
end up with something obsolete (like most of existing js crypto 
libraries that are not using Typed Arrays) or not to reinvent what will 
exist tomorrow.

And of course, implementing all of this with js will not be efficient, 
it should better be part of a standard trustable web api.

Even if Webcrypto API was already implemented, we see here that a lot of 
things are still missing for this project. I don't know if it is so 
specific, probably people will have some equivalent ideas of use with or 
without websockets.

Unfortunately I did not see other webapis projects implementing for 
example certificates, TLS protocol. Therefore, maybe it should be 
considered to extend Webcrypto so it does cover the full chain needed 
for TLS/SSL communications and crypto tools manipulations (unless you 
are aware that this does or will exist elsewhere as a standard).

Regards

A. Vitte

-- 
jCore
Email :  avitte@jcore.fr
Web :    www.jcore.fr
Webble : www.webble.it
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com

Received on Thursday, 15 November 2012 16:02:19 UTC