Re: Call for Consensus: Require secure context for WebCrypto from Wendy Seltzer on 2016-07-15 (public-webcrypto@w3.org from July 2016)

From: Wendy Seltzer <wseltzer@w3.org>
Date: Fri, 15 Jul 2016 15:32:33 -0400
To: Mike West <mkwst@google.com>, Harry Halpin <hhalpin@w3.org>, Brad Hill <hillbrad@gmail.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <57893A51.6080402@w3.org>

On 07/15/2016 03:06 PM, Mike West wrote:
> +Brad and Wendy, who have opinions.
> 
> On Thu, Jul 14, 2016 at 4:35 PM, Harry Halpin <hhalpin@w3.org> wrote:
> 
>> We're thinking of adding a sentence saying that secure origins should be
>> required for the use of WebCrypto.
>>
>> In detail, we'd like to follow the definition of a secure context given
>> here [1], although since that document is still an editor's draft so we
>> will instead say that the "The top-level browsing context should be
>> secure when using the WebCrypto API."
>>
> 
> I recommend against creating a one-off mechanism; the secure contexts spec
> is pretty far along, and I don't believe it will block your progress. I
> asked for a TAG review a little while ago (
> https://github.com/w3ctag/spec-reviews/issues/124), and got positive
> feedback along with a number of small issues to fix. I made quite a bit of
> progress on them today, and expect to be ready to issue a CfC to move to CR
> ~next week.

Great! That should give the needed stability path for a reference from
WebCrypto.

--Wendy

> 
> 
>> Since all browsers support WebCrypto using TLS, this should not change
>> the test-suite or conformance requirements. As long as browsers enable
>> the usage of WebCrypto in TLS, we will not consider them non-conformant
>> if they offer the usage of WebCrypto outside TLS. However, given it is
>> not best practice, this note will at least inform developers to use TLS
>> properly when using WebCrypto, as otherwise (as we've seen), some
>> developers may believe enabling WebCrypto without TLS may give them
>> security properties it indeed does not.
>>
> 
> I would suggest that one way to prevent the mismatch between developer
> expectation and actual guarantee is to enforce restrictions that uphold the
> latter.
> 
> -mike
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Friday, 15 July 2016 19:32:37 UTC