Secure Curves in Web Crypto: WICG draft from Daniel Huigens on 2022-06-16 (public-webappsec@w3.org from June 2022)

From: Daniel Huigens <daniel.huigens@proton.ch>
Date: Thu, 16 Jun 2022 13:34:56 +0000
To: "public-webappsec@w3c.org" <public-webappsec@w3c.org>
Message-ID: <3fztcwQXb7f9MNc4sbIcWYbDTsohjUJoqcAOdh8tZfnhuel5w7V2Xx4XR5JUOphmWBzrxTZ_eaDN_fn>

Hi all,

Last year, I volunteered as editor for the Web Crypto spec [0]. Now that
the new charter of the WebAppSec group has been adopted, which says
that "the WG may adopt well-supported proposals from incubation for
maintenance of the Web Cryptography API", I'd like to give a bit of an
update, particularly on adding more secure curves, e.g. X25519, X448,
Ed25519 and Ed448. There is now a draft WICG specification for that at
https://wicg.github.io/webcrypto-secure-curves/.

It defines four new algorithm identifiers (one for each of the mentioned
algorithms). Each of them are independent and optional to implement, as
all Web Crypto algorithms are. Ed448 has an additional (optional)
"context" parameter for domain separation, as per RFC 8032, which
Ed25519 doesn't have. Which brings me to...:


## Open questions

Currently, the draft doesn't specify the "context" variant of Ed25519
(Ed25519ctx) nor the "prehash" variants (Ed25519ph and Ed488ph), as
these seem less commonly used. Please chime in on GitHub [1] if you
have a (dis)interest in implementing these. (We could also specify
these separately later if there's interest. The prehash variants might
be useful if we add streaming to Web Crypto, as they are single-pass,
unlike Ed25519 and Ed448.)

There's also an open question about when to do public key validation.
To me, doing it during key import makes the most sense, but in the case
of X25519 and X448, doing it during key derivation is slightly easier
to implement. Please also chime in on [2] if you have an opinion.

And finally, a question came up about whether to provide a feature
detection mechanism for support of these algorithms, as for now Web
Crypto doesn't have one (other than try/catch). I could take a stab at
specifying an `isAlgorithmSupported` function, for example, e.g. in a
separate WICG draft. Let me know if you have an opinion on this.


## Status

There is one experimental implementation, in Node.js; they also added
web platform tests for this feature. Of course, that doesn't count as
"well-supported" for the purposes of this group's charter (yet), but I
thought I'd anyway ask for some feedback here. In particular, it would
be great if other implementers could take a look at the spec, leave
feedback, and perhaps if it looks good even implement it, to make
it "well-supported" ;)

Thanks a lot!

Best,
Daniel Huigens


[0]: https://lists.w3.org/Archives/Public/public-webappsec/2021May/0003.html
[1]: https://github.com/WICG/webcrypto-secure-curves/issues/5
[2]: https://github.com/WICG/webcrypto-secure-curves/pull/13

Received on Thursday, 16 June 2022 13:45:24 UTC