Re: Usefulness of WebCrypto API from Harry Halpin on 2012-10-08 (public-webcrypto@w3.org from October 2012)

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 08 Oct 2012 22:51:14 +0200
To: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>, David Dahl <ddahl@mozilla.com>, Emily Stark <estark@mit.edu>, Wan-Teh Chang <wtc@google.com>, GALINDO Virginie <Virginie.GALINDO@gemalto.com>, Ryan Sleevi <sleevi@google.com>
Message-ID: <50733CC2.6020702@w3.org>

On 10/08/2012 09:22 PM, Vijay Bharadwaj wrote:
>
> ØThen, what threat model does crypto in JA make sense for at all? 
> Obviously, when there's some lack of trust on the server *or* 
> connection to the server that can be ameliorated by public key crypto.
>
> Harry asked the above on a different email thread. This is an 
> important question. But first we should be precise about what we're 
> asking. WebCrypto is not (only) about "crypto in JS". It is about 
> giving JS access to the crypto capabilities of the underlying 
> platform. This includes cases in which the actual crypto is done 
> elsewhere such as in a smart card.
>
> So when does it make sense to give JS access to the platform's crypto 
> capabilities? In my mind, there are a few possible answers.
>
> It makes sense when one wants a trusted piece of JS in a trusted UA to 
> interact with a less trusted data store. This is the Facebook use 
> case. It is also David's cloud storage use case if the script is 
> retrieved from somewhere other than the server that keeps the data.
>
> It makes sense when one wants a trusted piece of JS in a trusted UA to 
> be able to interoperate with a server using an existing protocol (e.g. 
> sign requests to access-controlled REST APIs, JimD's use cases on 
> authenticating to government services).
>
> It makes sense when a server wants to deliver JS that uses a trusted 
> piece of pre-provisioned crypto hardware to establish end-to-end trust 
> independent of the UA (e.g. using a smart dongle for online banking, 
> some of the Netflix use cases).
>
> There may be others, and I'd love to hear what others think.
>
> It's important to note that the "trusted UA" assumption is not as 
> outlandish as it might seem at first; as Ryan points out on other 
> threads, we routinely make an assumption that the OS is trusted when 
> talking about native apps. One does not argue that including crypto 
> APIs in operating systems is futile just because malware and rootkits 
> exist. Many methods exist to improve the trust in the UA, including 
> the use of non-browser JS implementations. One could also argue that 
> various crypto primitives -- notably hash and RNG -- are only 
> meaningful if one accepts this assumption.
>

I agree with all the above, and thanks for listing them out, as I think 
they are all quite valid.  Again, most of the critiques we've gotten on 
the API are about not having trust in the JS at all, yet in general, I 
would maintain that arguments about server's being compromised are 
similar to arguments over rootkits on the OS level - its just XSS is 
generally easier than rootkits.

I guess what some developers want is:

1) ability to write new secure protocols in JS for use with WebApps with 
functions such as digital signatures . This would be very useful for a 
whole range of functions involving multiple servers besides the 
same-origin, such as OpenID Connect flows where one passes a signed 
token from a browser to identity provider, who then can pass that to a 
relying party in order to access personal data.

2) Developers want the crypto API to be a silver bullet for security as 
they assume access to "crypto functions = must be secure", but of course 
in reality there's quite a few more bases to be covered. Off the top of 
my head,  the developer should use CSP combined with HSTS/Cert 
Transparency/pinning for TLS (anything missing here?). That's about as 
close as we're going to get to allowing them to creating secure 
protocols in a reasonable manner for WebApps.

Also, its unclear if the server and client should be considered *one* 
application, as is traditional in web-apps. We have not yet the spec 
stable enough where we can have a use-case where  the user can have a 
private key, store it, but not let secret key material be arbitrarily 
replaced by key material from the same-origin. I'd personally like to 
see that as a possibility, as that would enable use-cases where the 
server might be not be entirely trusted.

    cheers,
        harry

> Since this question seems to keep coming up in feedback, maybe we 
> should develop a position on it as a group. Does anyone else have any 
> thoughts on the matter?
>
> **
>

Received on Monday, 8 October 2012 20:51:27 UTC