Re: WebCrypto - "A Solution Looking for a Problem" from Anders Rundgren on 2015-01-22 (public-web-security@w3.org from January 2015)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Thu, 22 Jan 2015 22:04:14 +0100
To: Harry Halpin <hhalpin@w3.org>, public-web-security@w3.org
Message-ID: <54C165CE.9020004@gmail.com>
On 2015-01-22 17:53, Harry Halpin wrote:
> On 01/22/2015 05:42 PM, Colin Gallagher wrote:

<snip>

> Re WebvCrypto, Anders, as usual, is incorrect. WebCrypto is aimed at
> general-use crypto primitives within the browser environment that
> already exists. No more, no less. Lots of people have already found that
> useful. Please see charter.

Dear Harry,

Of course WebCrypto have some uses but it surely doesn't address traditional
crypto-using applications of the kind I mentioned.


> We could and hopefully will recharter new
> work but we'd like to finish the existing API as it is without
> shoe-horning into other use-cases that the WG did not accept.

As I have tried to explain it would be futile for a bunch of reasons
(the shoe-horning would happen anyway since the root of the problem
is in the web architecture rather than in the WebCrypto API).

So what I'm proposing is a "Plan B" which I think has (if the feasibility
study pans out NB...), more potential, considerably shorter development time
and could finally break the 20-year stranglehold we have had on

    "Secure AND Convenient Payments on Web".

If somebody has a better plan, I'm the first to say hooray!!!

Anders

>
>     cheers,
>        harry
>
>
>
>>
>> B.  Payswarm has helped push this W3C web payments thing along from what I
>> heard, but I don't agree it's been helping anyone. See
>> http://digitalbazaar.com/payswarm/ - sounds nice, but is unrealistic. Web
>> wallets such as Coinbase and Bitpay that already have huge userbase and
>> appeal are themselves soon to become a dying business model for the
>> following reasons:
>> a. The cromnibus. Provisions adopted at end of 2014 (buried deep in the
>> Intelligence provisions) made it so that any and all customer info which
>> would be handled by third party services could be disclosed to government
>> at any time. With no warrant, but rather as a result of broad, sweeping
>> requests.
>> b. Legality issues. Russia, (Putin), UK (Cameron), U.S. (Obama), Belarus
>> (some info minister whose name I forget, who said that recently that the
>> whole internet was now subject to "the fatherland" of Belarus). These idiot
>> politicians are providing us with a legacy of insecurity and attacks on
>> encryption and innovation generally. A growing number of countries consider
>> virtual currency to be illegal.  So legality cannot be a concern here for
>> us, we cannot be constrained by these concerns when the larger concerns are
>> how do we ensure users have access to the systems of encryption that
>> politicians are now in the process of making illegal? The concern must be
>> moving beyond the Web for payment, because in that context it is broken.
>> c. Repository issues. If your virtual currency is supported as a corporate
>> model (you are an LLC or something) you are going to get threatened with
>> shutdown by another corp (probably one of many anonymized front corps that
>> can easily be created for this purpose) or by a government. If you are
>> serious about preserving your repository in the face of multiple aggressive
>> state actors, or by numerous competitors (including, moving into 2016, DAO
>> type competitors, that are autonomous and non-human), you need to mirror
>> into different places before your project becomes known (not just github or
>> bitbucket), have multiple offline copies with different names in different
>> locations, and instructions to friends to make sure copies can be checked
>> against signatures periodically.
>> On Jan 22, 2015 6:16 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com>
>> wrote:
>>
>>> In this somewhat dated document, applications like on-line banking and
>>> credit-card processing are mentioned:
>>> http://www.w3.org/2012/webcrypto/wiki/Use_Cases
>>>
>>> A number of reasons to why this probably won't happen are outlined in this
>>> document:
>>> http://webpki.org/papers/payments/webcrypto-4-payments.pdf
>>>
>>> Although currently not particularly useful, something along the following
>>> lines could prove to be a
>>> more workable solution for a wide range of crypto-using applications
>>> including eID and payments:
>>> http://blog.chromium.org/2013/10/connecting-chrome-apps-and-
>>> extensions.html
>>>
>>> In fact, the entire idea of having a browser-level wallet needs
>>> reconsideration, since it would lead to
>>> local payments and web payments having different "Look-and-feel",
>>> Security, API, etc. characteristics.
>>>
>>> That is, "calling" a local (native) application like a wallet from the web
>>> is the most likely future
>>> solution.  According to insiders this exactly what Apple is currently
>>> working with in order to extend
>>> the functionality of their (r)evolutionary Apple Pay system.
>>>
>>> I suggest that a feasibility study is performed and if it turns out
>>> positive, be used for chartering
>>> a new WG which would serve as a replacement for the missing WebCrypto
>>> "secondary features".
>>>
>>> Anders
>>>
>>>
>>
>
Received on Thursday, 22 January 2015 21:04:43 UTC