W3C home > Mailing lists > Public > public-webcrypto-comments@w3.org > November 2012

Re: Webcrypto - project example (and issues)

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Fri, 16 Nov 2012 10:49:47 +0900
Message-ID: <CAE-+aYKCVZj-L9kunr5k-VJVqwJHspmxZwWgE7qikiLY0N2EUA@mail.gmail.com>
To: Aymeric Vitte <vitteaymeric@gmail.com>
Cc: public-webcrypto-comments@w3.org
Hi.

the certificate or TLS is belong secondary feature of WebCrypto API.

we are slightly moving to secondary features.

from the multiple pending secondary features of WebCrypto API
I also have interest for certificate related issues.

can we list-up the requirements for certificate related issues?

followings are my list.
- API access X509 certificate extensions
- handling encodings from X509 certificate extensions
- signature validation with certificate
- certificate validation with CRL or OCSP



On Thu, Nov 15, 2012 at 5:03 PM, Aymeric Vitte <vitteaymeric@gmail.com>wrote:

> The draft project is here : http://www.ianonym.com, the "details" section
> are not specs but a summary, this is an extension inside the browser of
> https://github.com/Ayms/node-**Tor <https://github.com/Ayms/node-Tor>which is a js implementation over node.js of the Tor project.
>
> Assuming that the concept works (it seems to on the paper and from some
> experimentations I made), here is what is needed accessible with js inside
> the browser and the status today :
>
>     - mix node.js Buffers and Typed Arrays --> OK, home made
>     - URL parser --> OK, home made
>     - HTTP parser --> OK, home made
>     - self signed certificates generation (OP) --> NOK
>     - certificates verification (OP) --> NOK
>     - implement TLS protocol (OP, inside websockets, both client and
> server side) --> NOK
>     - retrieve the certificate used for the first TLS connection between
> the page and the OP (Evil1 attack) --> NOK
>     - implement Tor protocol and Tor protocol websocket extension (OP,
> inside websockets) --> OK, home made
>     - Webcrypto like features (hash, encrypt, decrypt, rsa, aes, etc),
> including Tor specific ones (RSA_PKCS1_OAEP_PADDING, aes-128-ctr) --> NOK
> (or OK with Webcrypto API but when ?)
>
> Beside the overall technical difficulty, one of the problems is not to end
> up with something obsolete (like most of existing js crypto libraries that
> are not using Typed Arrays) or not to reinvent what will exist tomorrow.
>
> And of course, implementing all of this with js will not be efficient, it
> should better be part of a standard trustable web api.
>
> Even if Webcrypto API was already implemented, we see here that a lot of
> things are still missing for this project. I don't know if it is so
> specific, probably people will have some equivalent ideas of use with or
> without websockets.
>
> Unfortunately I did not see other webapis projects implementing for
> example certificates, TLS protocol. Therefore, maybe it should be
> considered to extend Webcrypto so it does cover the full chain needed for
> TLS/SSL communications and crypto tools manipulations (unless you are aware
> that this does or will exist elsewhere as a standard).
>
> Regards
>
> A. Vitte
>
> --
> jCore
> Email :  avitte@jcore.fr
> Web :    www.jcore.fr
> Webble : www.webble.it
> Extract Widget Mobile : www.extractwidget.com
> BlimpMe! : www.blimpme.com
>
>
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Friday, 16 November 2012 01:50:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 16 November 2012 01:50:32 GMT