Re: Call for Consensus: Require secure context for WebCrypto from Harry Halpin on 2016-07-15 (public-webcrypto@w3.org from July 2016)

From: Harry Halpin <hhalpin@w3.org>
Date: Fri, 15 Jul 2016 21:21:01 +0200
To: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>, Wendy Seltzer <wseltzer@w3.org>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <5789379D.5010109@w3.org>

On 07/15/2016 09:06 PM, Mike West wrote:
> +Brad and Wendy, who have opinions.
>
> On Thu, Jul 14, 2016 at 4:35 PM, Harry Halpin <hhalpin@w3.org
> <mailto:hhalpin@w3.org>> wrote:
>
>     We're thinking of adding a sentence saying that secure origins
>     should be
>     required for the use of WebCrypto.
>
>     In detail, we'd like to follow the definition of a secure context
>     given
>     here [1], although since that document is still an editor's draft
>     so we
>     will instead say that the "The top-level browsing context should be
>     secure when using the WebCrypto API."
>
>
> I recommend against creating a one-off mechanism; the secure contexts
> spec is pretty far along, and I don't believe it will block your
> progress. I asked for a TAG review a little while ago
> (https://github.com/w3ctag/spec-reviews/issues/124), and got positive
> feedback along with a number of small issues to fix. I made quite a
> bit of progress on them today, and expect to be ready to issue a CfC
> to move to CR ~next week.


If we can normatively refer to it, that is of course preferred.
>  
>
>     Since all browsers support WebCrypto using TLS, this should not change
>     the test-suite or conformance requirements. As long as browsers enable
>     the usage of WebCrypto in TLS, we will not consider them
>     non-conformant
>     if they offer the usage of WebCrypto outside TLS. However, given it is
>     not best practice, this note will at least inform developers to
>     use TLS
>     properly when using WebCrypto, as otherwise (as we've seen), some
>     developers may believe enabling WebCrypto without TLS may give them
>     security properties it indeed does not.
>
>
> I would suggest that one way to prevent the mismatch between developer
> expectation and actual guarantee is to enforce restrictions that
> uphold the latter.

I'm sure we can work on to convincing browser vendors disable non-TLS
WebCrypto implementations, but we don't want to pin our transition to
Rec waiting for that to happen obviously.
>
> -mike

Received on Friday, 15 July 2016 19:21:12 UTC