Re: FW: [WebCryptoAPI] from Ryan Sleevi on 2013-08-07 (public-webcrypto-comments@w3.org from August 2013)

From: Ryan Sleevi <sleevi@google.com>
Date: Wed, 7 Aug 2013 14:56:40 -0700
To: Thomas Kopp <thomas.kopp@luxtrust.lu>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CACvaWvZXOzogzUMzkf_Sg44_g3enQO0t1hXXcdD1QyUZyZBzRA@mail.gmail.com>

On Wed, Aug 7, 2013 at 8:52 AM, Thomas Kopp <thomas.kopp@luxtrust.lu> wrote:
> Dear all,
>
>
>
> This project seems to be very interesting and could solve a couple of
> problems. Enclosed, please find some questions:
>
>
>
> -          What is the status of the project? In particular, are the
> indicated planning and milestones still up-to-date?

Dates are likely not up to date.

>
> -          Which browser vendors will support the API? Any commitments yet?

Microsoft IE 11 (Developer Preview) includes preliminary support,
based upon an older Editor's Draft. See
http://msdn.microsoft.com/en-us/library/ie/dn265046(v=vs.85).aspx

Chromium (Google Chrome, presumably-but-not-stated Opera) support is
being tracked at
https://code.google.com/p/chromium/issues/detail?id=245025 and is
currently behind flags

Mozilla (Firefox) support is being tracked at
https://bugzilla.mozilla.org/show_bug.cgi?id=865789

>
> -          Will support also be available on mobile platforms?

That's a question for mobile platform vendors. Naturally, the goal is
to see the Web Platform evolve on all supported platforms, but the
timelines between desktop user agents, mobile user agents, and other
forms of embedded user agents may not be in sync 1:1

>
> -          Important: This API exposes sensitive functionality that is
> supposed to be called via JavaScript. Unfortunately, JavaScript has no
> cross-platform support for using signed code only. As a consequence, this
> API risks to be a first class candidate for attackers, since it permits
> executing sensitive operations in potentially unsecure environments. Thus,
> it would be desirable that the same workgroup also covers code signing of
> JavaScript and proposes a cross-platform approach with recommendation to the
> API vendors for implementing it. This strategy would not only permit
> performing signature operations via JavaScript, but also to protect
> applications (and their users) employing such an approach.
>
>

This is explicitly out of scope for this WG.

However, you are likely interested in http://www.w3.org/2012/sysapps/
. In particular, see the "Runtime & Security Model", which addresses
many of the concerns/threats you have raised.

Received on Wednesday, 7 August 2013 21:57:07 UTC