Re: Use case - John and Jane from Aymeric Vitte on 2013-03-23 (public-webcrypto-comments@w3.org from March 2013)

From: Aymeric Vitte <vitteaymeric@gmail.com>
Date: Sat, 23 Mar 2013 20:41:41 +0100
To: Ryan Sleevi <sleevi@google.com>
CC: Eric Rescorla <ekr@rtfm.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <514E0575.3060608@gmail.com>

Ryan,

I don't understand the deviation of the initial subject to 
sop/http-https origin, this has nothing to do, your faith about sop is 
just theoretical, in reality browsers implement many workarounds to live 
with this model.

Now coming back to the initial subject, it just shows that under some 
circumstances, you can get access to the keys of someone else, and it's 
a physical attack as well as WebCrypto solves a physical attack 
described in the Use Cases, then if WebCrypto does not deal with 
physical attacks, don't put an explicit example in the documentation.

Regards,


Le 23/03/2013 01:39, Eric Rescorla a écrit :
>
>
> On Fri, Mar 22, 2013 at 5:38 PM, Ryan Sleevi <sleevi@google.com 
> <mailto:sleevi@google.com>> wrote:
>
>
>
>
>     On Fri, Mar 22, 2013 at 5:33 PM, Eric Rescorla <ekr@rtfm.com
>     <mailto:ekr@rtfm.com>> wrote:
>
>
>
>         On Fri, Mar 22, 2013 at 4:57 PM, Ryan Sleevi
>         <sleevi@google.com <mailto:sleevi@google.com>> wrote:
>
>             Scheme is either HTTP or HTTPS. An origin accessed over
>             HTTP is *not* the same as an origin accessed via HTTPS -
>             because they are different schemes.
>
>
>         Ryan,
>
>         I generally agree with your argument here, but I wanted to observe
>         out that there has been some discussion of mechanisms for
>         authenticating JS delivered over HTTP (e.g., script-hash).
>
>         I don't think this changes your basic point though.
>
>         -Ekr
>
>
>     Sure, but that's been in the context of the main page (and
>     therefore origin) are delivered over HTTPS, and it securely
>     indicates the script-hash for resources to load over HTTP (eg: to
>     permit edge caching).
>
>     An HTTP page embedding HTTP resources with script-hash is as
>     insecure as an HTTP page embedding HTTPS resources, which is as
>     insecure as an HTTP page embedding HTTP resources - the attacker
>     can always modify the HTTP page itself.
>
>
> I have no argument with this message.
>
> -Ekr
>

-- 
jCore
Email :  avitte@jcore.fr
iAnonym : http://www.ianonym.com
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Web :    www.jcore.fr
Webble : www.webble.it
Extract Widget Mobile : www.extractwidget.com
BlimpMe! : www.blimpme.com

Received on Saturday, 23 March 2013 19:39:06 UTC