W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2013

Re: WebCrypto API TLS/SSL Use Case + start of a TLS/SSL proposal.

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 8 Apr 2013 17:44:48 -0400
Message-ID: <CACvaWvbcRTthHOq3idVz6jsA0XBszPX43rc2YgmagwuQDVY9wQ@mail.gmail.com>
To: Aymeric Vitte <vitteaymeric@gmail.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
I know this will sound harsh, but this simply seems like the
realization of the worst-case predictions of the web crypto
detractors.

That it's possible does not and should not mean it's encouraged, for
many of the reasons that have already been discussed - most notably
the breaking of SOP and of encouraging untrusted/unvalidated
certificates.

As someone who works closely on the SSL/TLS stack of two major
browsers, I can only hope that such code does not become the norm.
While I can't prevent it, I can't in good conscience encourage it.

I realize that there are similar arguments to be made in the *Sysapps*
realm, where discussions about low-level TCP socket access have
happened. For example, implementing an IMAP client with STARTSSL
support, or implementing POPS, are vastly vastly more reasonable and
secure than the use case you've presented. They require a radically
different rethinking though, and, arguably, are better suited not for
this group but for Sysapps, where such discussions about security and
what "Web Apps" should expect to be able to leverage.

On Mon, Apr 8, 2013 at 5:07 PM, Aymeric Vitte <vitteaymeric@gmail.com> wrote:
> Here : https://gist.github.com/Ayms/027737d92c2245b4f9d4
>
> TLS/SSL Use Case, implementation of a TLS/SSL server and/or client inside
> the browser on top o WebSockets, with high level TLS/SSL spec and code
> example.
>
> I have tried to make it short and simple, do not focus on details, normally
> it's easily understandable, that's not theorical it's already working in
> reality.
>
> Regards,
>
> --
> jCore
> Email :  avitte@jcore.fr
> iAnonym : http://www.ianonym.com
> node-Tor : https://www.github.com/Ayms/node-Tor
> GitHub : https://www.github.com/Ayms
> Web :    www.jcore.fr
> Webble : www.webble.it
> Extract Widget Mobile : www.extractwidget.com
> BlimpMe! : www.blimpme.com
>
>
Received on Monday, 8 April 2013 21:45:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:16 UTC