- From: Harry Halpin <hhalpin@w3.org>
- Date: Sat, 30 Apr 2016 00:34:25 -0400
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, Randall Leeds <randall.leeds@gmail.com>, Web Payments CG <public-webpayments@w3.org>
- Cc: W3C Credentials Community Group <public-credentials@w3.org>
On 04/30/2016 12:08 AM, Anders Rundgren wrote: > On 2016-04-30 02:02, Randall Leeds wrote: >> Pieces of WebCrypto land in every new release of these major browsers > > and the post you refer to is taking stock of things that are > remaining barriers to interoperability. > > AFAIK, Microsoft haven't implemented WebCrypto according to the spec. > for IE, only for Edge (which doesn't run on Win < 10) but that's just > a minor comment. Yes, because you don't make updates to previous versions of browsers. You make updates to *newer* versions. > >> >> Just this past week, Firefox 46, "Added HKDF support for Web Crypto >> API <https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API>". >> >> From my vantage point, WebCrypto is happening. > > If we stick to hype and (likely) future usage, it appears that FIDO > have taken this spot. > Currently, the wast majority of client-side crypto-using applications > are built on "Apps". For good reason, but that's not WebCrypto's fault. Browser sand-boxing is difficult. That being said, native app TLS usage is actually terrible too, if not more so: https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf > > Is there any major applications out there relying on WebCrypto? Signal, Crypto.cat, various Google apps. > > >> Does the progress disappoint you? Why? What's your rush? > >> More importantly, how is your vague complaining supposed to be in any >> way helpful? >> >> What are we supposed to take away from your message? > > The thing I mentioned as another way forward. It has IMO much better > chances of getting traction because crypto without trusted UI and > trusted storage isn't that terribly useful. > > These topics were either rejected or ignored by the WebCrypto WG. For good reason. There isn't such a thing really as 'trusted UI' that users understand and there isn't a unified thing such as 'trusted storage.' > > The Web Payment WG haven't mentioned WebCrypto as a possible security > solution. I think the above statement confuses the relationship between how these technology stacks work. Crypto API is for low-level primitives in Javascript, not wallets. > > But there's nothing to get hung about; some standards get wide-spread > adoption, others do not. For example, your WebPKI work to reproduce PKI in XML has, I believe, zero adoption. > However, I think it could be useful analyzing the outcome of every > standards effort in order to (maybe) be better prepared for new > endeavors! Agreed. > > Anders > >> >> On Fri, Apr 29, 2016 at 1:56 AM Timothy Holborn >> <timothy.holborn@gmail.com <mailto:timothy.holborn@gmail.com>> wrote: >> >> imho cryptography that is highly secure from un-intended use >> seemed interesting yet difficult to find means to work >> collaboratively on the stuff that would otherwise be considered 'low >> hanging fruit'. So, when thinking about it from a modern context - i >> also took into account quantum computing capabilities as to consider >> meaningfully concepts surrounding the principle of 'rule of law' >> where i noted today the following text >> >> There is no single agreed definition of the rule of law. However, >> there is a basic core definition that has near universal acceptance. >> >> As Emeritus Professor Geoffrey Walker, has written in his >> defining work on the rule of law in Australia: ‘…most of the content >> of the rule of law can be summed up in two points: >> >> (1) that the people (including, one should add, the government) >> should be ruled by the law and obey it and >> >> (2) that the law should be such that people will be able (and, >> one should add, willing) to be guided by it.’ >> >> – Geoffrey de Q. Walker, The rule of law: foundation of >> constitutional democracy, (1st Ed., 1988). >> >> >> >> Source: http://www.ruleoflaw.org.au/principles/ >> >> >> also, IMHO: It's that concept of a 'human centric web' that's >> most difficult to discover. Yet in consideration - the way most >> people (who are old enough to remember) started on the web with >> trumpet winsock[2] - not something that was packaged with the OS >> (without going into the really old stuff...). >> >> Now therefore; When considering the concept of the map [3] I've >> been thinking about the differences or nuances between the goals of >> building a web for documents (ie: web 1/2) and one for data ("web >> 3"). If a 'trumpet winsock' to deal with the ID/Crypto issues were >> produce today, what would it do and how could it be packaged? How >> would solve the very diverse issues that relate to the problem-domain? >> >> I guess underlying it all is a need to acknowledge that decisions >> are being made about processes that are being put into the hands of >> various parties and pending the architectural decisions of those >> designs; we'll end-up with different social outcomes regardless of >> 'who wins' the more myopically definitive process as to have >> successfully completed the project. Equally; i'm probably better >> off coding rather than thinking and well, the work done here has been >> rather awesome; so perhaps it's just my expectations that need to be >> adjusted... that balance between doing your best and living with >> humility / being human. >> >> I think more work needs to go into producing interoperablity with >> SoLiD[4] solutions. For me the process of trying to bring the two >> worlds together seems really very daunting... >> >> Tim.H >> >> [1] https://en.wikipedia.org/wiki/Lattice-based_cryptography >> [2] http://thanksfortrumpetwinsock.com/ >> [3] https://www.w3.org/2007/09/map/main.jpg >> [4] https://github.com/solid/ >> >> >> On Tue, 19 Apr 2016 at 15:33 Anders Rundgren >> <anders.rundgren.net@gmail.com >> <mailto:anders.rundgren.net@gmail.com>> wrote: >> >> >> https://lists.w3.org/Archives/Public/public-webcrypto/2016Jan/0022.html >> >> And still no interoperable standard. >> >> Making it possible extending browsers through Apps seems like >> a much easier way keeping the Web alive and kicking. >> Insurmountable security issues? No, Google and Microsoft >> have solved these in Web Payments; they just haven't shared their >> findings with us. >> >> Anders >> > >
Received on Saturday, 30 April 2016 04:34:30 UTC