The updated WebCrypto charter

https://lists.w3.org/Archives/Public/public-webcrypto/2015May/0000.html

The charter still talks about optional "Secondary API features".

Since these haven't been discussed in any detail isn't there an obvious risk that this could lead to a similar situation that we got with "WebCrypto.Next for Smart Cards"?  IMHO, hardly none of the listed items seem relevant these days either.  From the charter:

"control of TLS session login/logout":
Since the browser vendors with their emphasis on FIDO effectively have left HTTPS client certificate authentication "as is" (probably because it is considered clunky and privacy impeding), this is unlikely to happen.

"derivation of keys from TLS sessions":
I believe this more or less is already an IETF task: https://tools.ietf.org/wg/tokbind/

"a simplified data protection function":
I have no idea what that could be.

"multiple key containers":
Multiple providers have already been dismissed.  FIDO is also a strong candidate here.

"key import/export":
Is way too messy for ordinary users.

"a common method for accessing and defining properties of keys
  and the lifecycle control of credentials such enrollment, selection,
  and revocation of credentials with a focus enabling the selection of
  certificates for signing and encryption":
If we stick to domain-bound keys a la WebCrypto, IndexDB + https://pkijs.org/ provide this capability for the few that could be interested in PKI-solutions that only work for a single domain.

Platform-based keys such as featured in Microsoft's WebCrypto.Next proposal is an entirely different thing which squarely matches the WebCrypto API security model which also was a reason it didn't pull through.

It seems like a better deal waiting for possible V2 input after WebCrypto has actually hit the market and real use-cases.

Anders

Received on Tuesday, 5 May 2015 16:56:43 UTC