W3C home > Mailing lists > Public > public-webcrypto@w3.org > June 2012

Re: I want to have unsafe key exchange.

From: Zooko Wilcox-OHearn <zooko@leastauthority.com>
Date: Thu, 14 Jun 2012 17:18:08 -0300
Message-ID: <CAM_a8Jyg4hW5LMPs+o8ULyj7eYr8Ci2H_y=Pc51vULnSCofi2w@mail.gmail.com>
To: David Dahl <ddahl@mozilla.com>
Cc: public-webcrypto@w3.org
On Thu, Jun 14, 2012 at 12:50 PM, David Dahl <ddahl@mozilla.com> wrote:
>
> Initially, I think this was not a use case that was in mind for the API. However, we have discussed a few operations where this would be required to support specific protocols. I think in most cases, we would not want developers using this kind of 'the footgun is loaded' operation.

I think there will be many uses where it is necessary, so I hope that
the spec will require implementers to provide it. If we want to guide
developers toward safe patterns (and we do), then making something
optional in the spec, and thus inconsistent in the implementations, is
probably not a great way to accomplish that. Providing a safe and
always-available alternative way to do that thing which is
conceptually simple and well-documented sounds like the best tool we
have for that.

> As far as symmetric keys are concerned, I have been thinking we would spec out a wrapped key object, with the unwrapping happening out of the content JS scope. With a compelling use-case I can see an API that allows raw key material to be generated that is perhaps not persisted and not given any kind of ID. Would that satisfy your usage?

I don't really understand the ideas of wrapping, persistence, ID'ing
in this context. (Not that I haven't tried! I believe I had read all
the minutes and mailing list messages on the subject.)

But it sounds rather unlike what I want.

What I'm asking for is the ability for JS code to invent some bytes in
any that it wants -- in ways that we today can't predict -- and then
use those bytes as a private key or as a symmetric key. Possible ways
it might generate such bytes include using some not-yet-invented KDF
based on user input (e.g. an interactive graphical application in
which the user selects photographs out of a set of photographs), and a
remote protocol involving one or more remote nodes that it
communicates with over the network to compute some sort of
not-yet-invented key agreement scheme or secure multiparty
computation.

Likewise, I'm asking for the ability for JS to (at least for keys
which have not been explicitly marked as "no unsafe key exchange
allowed"), read the bytes of the key so that it can transmit those
bytes to the user or to a remote party in some way that we haven't yet
invented.

> Do you have a use case written down for this kind of operation?

Not exactly. I have a ton of ideas and rambling notes here and
there... ;-) It's a little bit difficult to write down, because part
of the driving motivation for me is that I want to make it possible
for future authors of JS code to invent new protocols. I can't write
down all those as-yet-uninvented protocols, although I can certainly
write down a few. ;-)

Let me try to come up with some concrete use case real quick... How
about: implement ZRTP ¹  in 100% pure Javascript, deployable in
node.js, content JS, or chrome JS.

That's just the first random thing off the top of my head.

¹ https://en.wikipedia.org/wiki/ZRTP

Regards,

Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep -- Least Authority Enterprises

https://leastauthority.com
Received on Thursday, 14 June 2012 20:18:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 14 June 2012 20:18:43 GMT