Re: [liberationtech] W3C WebCrypto Last Call for Comments *today*

On May 20, 2014 7:32 AM, "carlo von lynX" <lynX@time.to.get.psyced.org>
wrote:
>
> Thank you for a faceted browser API.
>
> When Netscape introduced livescript in 1995, who would
> have thought it would have one day be employed for
> opportunistic end-to-end encryption and similar jobs.
>
> I would kindly ask you to mention in the opening words
> that such an API can only be used in an "opportunistic"
> fashion as the JS code intended to use this API itself
> somehow has to be delivered to the browser, which is an
> as yet unsolved problem considering the failures of
> certification authorities in the past.

This is not an accurate limitation of the API, given the existence of
SysApps (aka Extensions/Apps), which as noted in the W3C SysApps charter,
include different security models such as signed code.

This is also not a cryptographically accurate use of the term opportunistic
encryption, though it has become quite an in vogue term.

>
> There is a fundamental flaw in the security architecture
> of the web and this new API does not address that.
>

Our charter makes this clear.

> Please make that clear, or you may stir false hopes and
> become responsible for potential consequences. People may
> be developing sensitive applications with this, not being
> aware that any certification authority of any country on
> earth can insert malicious code.
>
> Best,  CvL
>

Luckily, this is also not true.

Certificate pinning is one such way to mitigate this threat.

Regardless, its unreasonable to suggest we are responsible for developers
who chose to use eval on untrusted code, who choose not to use CSP, those
who introduce XSS, and likewise, those who fail to use pinning. These are
all complimentary tools in the developer's toolbox.

>
> --
>             http://youbroketheinternet.org
>  ircs://psyced.org/youbroketheinternet
>
>