- From: Mountie Lee <mountie.lee@mw2.or.kr>
- Date: Fri, 16 Nov 2012 10:49:47 +0900
- To: Aymeric Vitte <vitteaymeric@gmail.com>
- Cc: public-webcrypto-comments@w3.org
- Message-ID: <CAE-+aYKCVZj-L9kunr5k-VJVqwJHspmxZwWgE7qikiLY0N2EUA@mail.gmail.com>
Hi. the certificate or TLS is belong secondary feature of WebCrypto API. we are slightly moving to secondary features. from the multiple pending secondary features of WebCrypto API I also have interest for certificate related issues. can we list-up the requirements for certificate related issues? followings are my list. - API access X509 certificate extensions - handling encodings from X509 certificate extensions - signature validation with certificate - certificate validation with CRL or OCSP On Thu, Nov 15, 2012 at 5:03 PM, Aymeric Vitte <vitteaymeric@gmail.com>wrote: > The draft project is here : http://www.ianonym.com, the "details" section > are not specs but a summary, this is an extension inside the browser of > https://github.com/Ayms/node-**Tor <https://github.com/Ayms/node-Tor>which is a js implementation over node.js of the Tor project. > > Assuming that the concept works (it seems to on the paper and from some > experimentations I made), here is what is needed accessible with js inside > the browser and the status today : > > - mix node.js Buffers and Typed Arrays --> OK, home made > - URL parser --> OK, home made > - HTTP parser --> OK, home made > - self signed certificates generation (OP) --> NOK > - certificates verification (OP) --> NOK > - implement TLS protocol (OP, inside websockets, both client and > server side) --> NOK > - retrieve the certificate used for the first TLS connection between > the page and the OP (Evil1 attack) --> NOK > - implement Tor protocol and Tor protocol websocket extension (OP, > inside websockets) --> OK, home made > - Webcrypto like features (hash, encrypt, decrypt, rsa, aes, etc), > including Tor specific ones (RSA_PKCS1_OAEP_PADDING, aes-128-ctr) --> NOK > (or OK with Webcrypto API but when ?) > > Beside the overall technical difficulty, one of the problems is not to end > up with something obsolete (like most of existing js crypto libraries that > are not using Typed Arrays) or not to reinvent what will exist tomorrow. > > And of course, implementing all of this with js will not be efficient, it > should better be part of a standard trustable web api. > > Even if Webcrypto API was already implemented, we see here that a lot of > things are still missing for this project. I don't know if it is so > specific, probably people will have some equivalent ideas of use with or > without websockets. > > Unfortunately I did not see other webapis projects implementing for > example certificates, TLS protocol. Therefore, maybe it should be > considered to extend Webcrypto so it does cover the full chain needed for > TLS/SSL communications and crypto tools manipulations (unless you are aware > that this does or will exist elsewhere as a standard). > > Regards > > A. Vitte > > -- > jCore > Email : avitte@jcore.fr > Web : www.jcore.fr > Webble : www.webble.it > Extract Widget Mobile : www.extractwidget.com > BlimpMe! : www.blimpme.com > > > > -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net ======================================= PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Received on Friday, 16 November 2012 01:50:31 UTC