W3C home > Mailing lists > Public > public-credentials@w3.org > April 2016

Re: WebCrypto - In "progress" since 2012

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sat, 30 Apr 2016 07:28:35 +0200
To: Harry Halpin <hhalpin@w3.org>, Randall Leeds <randall.leeds@gmail.com>, Web Payments CG <public-webpayments@w3.org>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <a9296c05-b898-2e7d-b5d0-81f762ea2acd@gmail.com>
On 2016-04-30 06:34, Harry Halpin wrote:
>> The thing I mentioned as another way forward.  It has IMO much better
>> chances of getting traction because crypto without trusted UI and
>> trusted storage isn't that terribly useful.
>> These topics were either rejected or ignored by the WebCrypto WG.
> For good reason. There isn't such a thing really as 'trusted UI' that
> users understand and there isn't a unified thing such as 'trusted storage.'

That's correct.  However, there is another more down-to-earth definition which
is that the issuer/relying party/etc consider the system interacting with and
storing keys as trusted.  E.g. Apple Pay.

>> The Web Payment WG haven't mentioned WebCrypto as a possible security
>> solution.
> I think the above statement confuses the relationship between how these
> technology stacks work. Crypto API is for low-level primitives in
> Javascript, not wallets.

Confusing or not it seems that WebCrypto will not be used for wallets,
not even Web wallets.

>> But there's nothing to get hung about; some standards get wide-spread
>> adoption, others do not.
> For example, your WebPKI work to reproduce PKI in XML has, I believe, zero adoption.

WebPKI is nowadays a wide range of things.  Although adoption probably is zero, some of
the stuff may be leaving that pitiful state: http://www.conferences-pic.com/#demos

My most recent project (it feels more like a crusade...); "Uniting the Web and App worlds" have lots of "moral" (and indirect) supporters.


>> However, I think it could be useful analyzing the outcome of every
>> standards effort in order to (maybe) be better prepared for new
>> endeavors!
> Agreed.
>> Anders
>>> On Fri, Apr 29, 2016 at 1:56 AM Timothy Holborn
>>> <timothy.holborn@gmail.com <mailto:timothy.holborn@gmail.com>> wrote:
>>>     imho cryptography that is highly secure from un-intended use
>>> seemed interesting yet difficult to find means to work
>>> collaboratively on the stuff that would otherwise be considered 'low
>>> hanging fruit'. So, when thinking about it from a modern context - i
>>> also took into account quantum computing capabilities as to consider
>>> meaningfully concepts surrounding the principle of 'rule of law'
>>> where i noted today the following text
>>>     There is no single agreed definition of the rule of law. However,
>>> there is a basic core definition that has near universal acceptance.
>>>     As Emeritus Professor Geoffrey Walker, has written in his
>>> defining work on the rule of law in Australia: ‘…most of the content
>>> of the rule of law can be summed up in two points:
>>>     (1) that the people (including, one should add, the government)
>>> should be ruled by the law and obey it and
>>>     (2) that the law should be such that people will be able (and,
>>> one should add, willing) to be guided by it.’
>>>     – Geoffrey de Q. Walker, The rule of law: foundation of
>>> constitutional democracy, (1st Ed., 1988).
>>>     Source: http://www.ruleoflaw.org.au/principles/
>>>     also, IMHO: It's that concept of a 'human centric web' that's
>>> most difficult to discover.   Yet in consideration - the way most
>>> people (who are old enough to remember) started on the web with
>>> trumpet winsock[2] - not something that was packaged with the OS
>>> (without going into the really old stuff...).
>>>     Now therefore; When considering the concept of the map [3] I've
>>> been thinking about the differences or nuances between the goals of
>>> building a web for documents (ie: web 1/2) and one for data ("web
>>> 3").  If a 'trumpet winsock' to deal with the ID/Crypto issues were
>>> produce today, what would it do and how could it be packaged?  How
>>> would solve the very diverse issues that relate to the problem-domain?
>>>     I guess underlying it all is a need to acknowledge that decisions
>>> are being made about processes that are being put into the hands of
>>> various parties and pending the architectural decisions of those
>>> designs; we'll end-up with different social outcomes regardless of
>>> 'who wins' the more myopically definitive process  as to have
>>> successfully completed the project.   Equally; i'm probably better
>>> off coding rather than thinking and well, the work done here has been
>>> rather awesome; so perhaps it's just my expectations that need to be
>>> adjusted...  that balance between doing your best and living with
>>> humility / being human.
>>>     I think more work needs to go into producing interoperablity with
>>> SoLiD[4] solutions.  For me the process of trying to bring the two
>>> worlds together seems really very daunting...
>>>     Tim.H
>>>     [1] https://en.wikipedia.org/wiki/Lattice-based_cryptography
>>>     [2] http://thanksfortrumpetwinsock.com/
>>>     [3] https://www.w3.org/2007/09/map/main.jpg
>>>     [4] https://github.com/solid/
>>>     On Tue, 19 Apr 2016 at 15:33 Anders Rundgren
>>> <anders.rundgren.net@gmail.com
>>> <mailto:anders.rundgren.net@gmail.com>> wrote:
>>> https://lists.w3.org/Archives/Public/public-webcrypto/2016Jan/0022.html
>>>         And still no interoperable standard.
>>>         Making it possible extending browsers through Apps seems like
>>> a much easier way keeping the Web alive and kicking.
>>>         Insurmountable security issues?  No, Google and Microsoft
>>> have solved these in Web Payments; they just haven't shared their
>>> findings with us.
>>>         Anders
Received on Saturday, 30 April 2016 05:29:19 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:41 UTC