- From: Harry Halpin <hhalpin@w3.org>
- Date: Mon, 24 Sep 2012 23:23:20 +0200
- To: public-privacy@w3.org
- Message-ID: <5060CF48.8040406@w3.org>
The WebCrypto API has a number of privacy-related functionality that should be reviewed by the W3C Privacy IG, although a full detailed review will likely require the WD to be more mature [1]. A number of privacy concerns have already come up on the mailing list as regards the current draft. Off the top of my head, one can also do possible finger-printing of browser types in the current spec by running through the operations allowed by the API in a given browser/JS environment, but that would likely only manage to figure out what browser (and possibly device, if the API wires into device or OS-specific crypto) the user is running by indirectly by seeing what crypto algorithms are supported. Another more important potential red-flag is the ability to import/export keys. Although the API obeys basic constraints like same-origin policy, one can imagine keys being created to identify browsers in the same manner of cookies. The real open issues are still not yet fully discussed by the WG and thus not in the FPWD, but will appear in later WDs. So while we'd like this to be on your radar, we think a thorough privacy review would be more useful in about 6 months. However, we wanted this to be on your agenda. Some of the possible features (tracked in our issue-tracker [2]:) 1) How to do key identification (i.e. some want "Globally Unique IDs") (ISSUE-25) 2) User interaction with key (and possibly certificate) selection, given the usual issues that it is very difficult to standardize UI/UX in browsers (ISSUE-9) 3) Pressure to go beyond same-origin policy for keys for some use-cases, such as using pre-provisioned keys and keys previously generated and imported from the larger non-browser context. (ISSUE-26) 4) Requiring CSP or not (ISSUE-21) As for more possible future features that have not yet received open issues that will also have an impact on privacy, see the charter [3]. In particular secondary features: "/Secondary API Features/ that may be in scope are: control of TLS session login/logout, derivation of keys from TLS sessions, a simplified data protection function, multiple key containers, key import/export, a common method for accessing and defining properties of keys, and the lifecycle control of credentials such enrollment, selection, and revocation of credentials with a focus enabling the selection of certificates for signing and encryption." So I imagine simplified data protection, interactions with multiple key containers (including those of the API), digital signatures, and certificate support would all have privacy implications re fingerprinting, in particular any user interaction required around keys/certificates. We'd love a written commentary on the public-webcrypto-comments@w3.org and hopefully we can do a telecon with you at one of your future meetings in about 6 months. cheers, harry [1]http://www.w3.org/TR/WebCryptoAPI/ [2]http://www.w3.org/2012/webcrypto/track/issues [3]http://www.w3.org/2011/11/webcryptography-charter.html
Received on Monday, 24 September 2012 21:23:51 UTC