Editing the Web Crypto spec from Daniel Huigens on 2021-05-17 (public-webappsec@w3.org from May 2021)

From: Daniel Huigens <d.huigens@protonmail.com>
Date: Mon, 17 May 2021 10:05:59 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <XozH74phst1v6uqq5ufo0sQtp1JYDzk4_1oUZPwKvr2x9QfTuADCkqtWyu50aWPMpsNkQLNtbib5Os0>

Hi public-webappsec,

Recently, I reached out to Mike Smith after he posted a message looking
for someone to edit the Web Crypto spec, and I volunteered to do so.
Now, he asked me to introduce myself here as well :)

I'm Daniel Huigens, the crypto team lead at Proton, and lead maintainer
of OpenPGP.js. I have quite a lot of experience working with the
Web Crypto API, both from working at Proton and on OpenPGP.js but also
previously. I don't have as much experience editing specifications, so
please bear with me while I figure that part out :)

I volunteered as editor for the Web Crypto spec with the goal of making
it possible for web developers to build more secure web apps. The most
pressing need in the Web Crypto spec I see in that regard is to
modernize the set of algorithms available. In particular, adding more
secure curves [1], adding a more modern key derivation function, and
adding a more modern AEAD construction come to mind (ideally all based
on CFRG recommendations).

On the flip side, I should also explicitly say that it's not my goal to
add algorithms or features purely for compatibility reasons (and that
extends to things that might be useful for Proton or OpenPGP.js equally
as any other company or library). I'd much rather see everyone moving
towards a more secure set of algorithms.

I'll make a special mention of the proposal to allow Web Crypto to be
used with Streams [2] (by far the most liked issue in the repo) - while
not strictly speaking related to improving the security, it prevents web
apps from using the Web Crypto API if they have to deal with very large
files, so I think it would be nice if we can make some progress there.

I hope this goal makes sense to everyone :) But let me know what you
think.


I've started with doing some housekeeping in the repo, and fixing some
obvious bugs in the spec [3]. I also hope to reach out to all the
vendors, to see where there's implementer interest, and then hopefully
we can make some progress on these issues :)

Also, I'd be grateful if anyone would be willing to review some PRs, now
and in the future. For example, Anne van Kesteren has been reviewing [4]
but noted that it would be good if someone more familiar with Web Crypto
did so as well.

Thanks a lot!

Best,
Daniel

[1]: https://github.com/w3c/webcrypto/issues/196
[2]: https://github.com/w3c/webcrypto/issues/73
[3]: https://github.com/w3c/webcrypto/pulls?q=is%3Apr+author%3Atwiss
[4]: https://github.com/w3c/webcrypto/pull/264

Received on Monday, 17 May 2021 10:41:20 UTC