Re: security of a client-side JS API? from Eric Rescorla on 2012-11-01 (public-webcrypto-comments@w3.org from November 2012)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 1 Nov 2012 14:26:23 +0100
To: "Richard L. Barnes" <rbarnes@bbn.com>
Cc: Zooko Wilcox-OHearn <zooko@leastauthority.com>, "Arthur D. Edelstein" <arthuredelstein@gmail.com>, Ryan Sleevi <sleevi@google.com>, public-webcrypto-comments@w3.org
Message-ID: <CABcZeBN0Uxjc=Fr-41X6A=-tAhffQuXDkm7Qv7hVutjxZ6HOpg@mail.gmail.com>

On Thu, Nov 1, 2012 at 2:13 PM, Richard L. Barnes <rbarnes@bbn.com> wrote:
> That doesn't really help for anything non-real-time.  For example, offline delivery for XMPP or similar.
>
> There's also a fair bit of overhead involved in setting up that channel.

All totally true.

-Ekr

>
>
> On Nov 1, 2012, at 11:24 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> As Zooko says, WebRTC provides a mechanism for establishing an
>> end-to-end cryptographically protected data channel (for those who
>> care, SCTP over DTLS. These channels can be created and accessed by
>> JS.
>>
>> In terms of implementation status, this "datachannel" functionality is
>> available in the current Firefox Aurora build (though this it's kind
>> of a hard-hat area) and under active development for Chromium. (Though
>> Chrome's WebRTC implementation is generally further along).
>>
>> -Ekr
>>
>>
>> On Thu, Nov 1, 2012 at 11:08 AM, Zooko Wilcox-OHearn
>> <zooko@leastauthority.com> wrote:
>>> On Wed, Oct 31, 2012 at 5:54 PM, Arthur D. Edelstein
>>> <arthuredelstein@gmail.com> wrote:
>>>>
>>>> If you have any hints on who in W3C might be working on a proposal for an end-to-end encryption standard for the browser, I'd be very grateful! I haven't found it yet. :)
>>>
>>> I too would be very interested in this. Please let me know what you
>>> find. The relevance to *this* working group would be that this would
>>> be a use case which the WebCrypto API might be able to support. You
>>> might want to start by looking at WebRTC and asking people who work on
>>> that standard. It provides end-to-end connectivity, and I believe it
>>> comes with a Diffie-Hellman key exchange built in. So some of the hard
>>> parts of developing secure e2e connections are already done by WebRTC!
>>> And, WebRTC is already pretty far along in being implemented and
>>> deployed.
>>>
>>> https://en.wikipedia.org/wiki/WebRTC
>>>
>>> Regards,
>>>
>>> Zooko Wilcox-O'Hearn
>>>
>>> Founder, CEO, and Customer Support Rep
>>>
>>> https://LeastAuthority.com
>>>
>>
>>
>

Received on Thursday, 1 November 2012 13:27:33 UTC