W3C home > Mailing lists > Public > public-webcrypto@w3.org > July 2016

Re: Call for Consensus: Require secure context for WebCrypto

From: Harry Halpin <hhalpin@w3.org>
Date: Thu, 14 Jul 2016 16:58:29 +0200
To: public-webcrypto@w3.org
Message-ID: <5787A895.8020401@w3.org>
Also, feel free to comment on Github rather than the list:
https://github.com/w3c/webcrypto/issues/28

On 07/14/2016 04:35 PM, Harry Halpin wrote:
> We're thinking of adding a sentence saying that secure origins should be
> required for the use of WebCrypto.
>
> In detail, we'd like to follow the definition of a secure context given
> here [1], although since that document is still an editor's draft so we
> will instead say that the "The top-level browsing context should be
> secure when using the WebCrypto API."
>
> People may also want to see this document, which mentions how the use of
> WebCrypto within a secure origin can lead to l
> https://w3c.github.io/webappsec-secure-contexts/#ancestors
>
> Since all browsers support WebCrypto using TLS, this should not change
> the test-suite or conformance requirements. As long as browsers enable
> the usage of WebCrypto in TLS, we will not consider them non-conformant
> if they offer the usage of WebCrypto outside TLS. However, given it is
> not best practice, this note will at least inform developers to use TLS
> properly when using WebCrypto, as otherwise (as we've seen), some
> developers may believe enabling WebCrypto without TLS may give them
> security properties it indeed does not.
>
> We'll have a two week period for discussion before making any changes to
> the spec in this regard.
>
>   cheers,
>     harry
>
> [1] https://w3c.github.io/webappsec-secure-contexts
>
>
Received on Thursday, 14 July 2016 14:58:36 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 14 July 2016 14:58:36 UTC