Re: Webcrypto - project example (and issues)

Hi.

the certificate or TLS is belong secondary feature of WebCrypto API.

we are slightly moving to secondary features.

from the multiple pending secondary features of WebCrypto API
I also have interest for certificate related issues.

can we list-up the requirements for certificate related issues?

followings are my list.
- API access X509 certificate extensions
- handling encodings from X509 certificate extensions
- signature validation with certificate
- certificate validation with CRL or OCSP



On Thu, Nov 15, 2012 at 5:03 PM, Aymeric Vitte <vitteaymeric@gmail.com>wrote:

> The draft project is here : http://www.ianonym.com, the "details" section
> are not specs but a summary, this is an extension inside the browser of
> https://github.com/Ayms/node-**Tor <https://github.com/Ayms/node-Tor>which is a js implementation over node.js of the Tor project.
>
> Assuming that the concept works (it seems to on the paper and from some
> experimentations I made), here is what is needed accessible with js inside
> the browser and the status today :
>
>     - mix node.js Buffers and Typed Arrays --> OK, home made
>     - URL parser --> OK, home made
>     - HTTP parser --> OK, home made
>     - self signed certificates generation (OP) --> NOK
>     - certificates verification (OP) --> NOK
>     - implement TLS protocol (OP, inside websockets, both client and
> server side) --> NOK
>     - retrieve the certificate used for the first TLS connection between
> the page and the OP (Evil1 attack) --> NOK
>     - implement Tor protocol and Tor protocol websocket extension (OP,
> inside websockets) --> OK, home made
>     - Webcrypto like features (hash, encrypt, decrypt, rsa, aes, etc),
> including Tor specific ones (RSA_PKCS1_OAEP_PADDING, aes-128-ctr) --> NOK
> (or OK with Webcrypto API but when ?)
>
> Beside the overall technical difficulty, one of the problems is not to end
> up with something obsolete (like most of existing js crypto libraries that
> are not using Typed Arrays) or not to reinvent what will exist tomorrow.
>
> And of course, implementing all of this with js will not be efficient, it
> should better be part of a standard trustable web api.
>
> Even if Webcrypto API was already implemented, we see here that a lot of
> things are still missing for this project. I don't know if it is so
> specific, probably people will have some equivalent ideas of use with or
> without websockets.
>
> Unfortunately I did not see other webapis projects implementing for
> example certificates, TLS protocol. Therefore, maybe it should be
> considered to extend Webcrypto so it does cover the full chain needed for
> TLS/SSL communications and crypto tools manipulations (unless you are aware
> that this does or will exist elsewhere as a standard).
>
> Regards
>
> A. Vitte
>
> --
> jCore
> Email :  avitte@jcore.fr
> Web :    www.jcore.fr
> Webble : www.webble.it
> Extract Widget Mobile : www.extractwidget.com
> BlimpMe! : www.blimpme.com
>
>
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World

Received on Friday, 16 November 2012 01:50:31 UTC