W3C home > Mailing lists > Public > public-webrtc@w3.org > December 2014

Re: WebRTC Certificate Management - a plea to NOT use Web Crypto

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 23 Dec 2014 11:31:23 -0800
Message-ID: <CABkgnnWMhMdT20T1Z+Y8=6jMJqk2aK4B4T0i5PzXKan47+QF8A@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Richard Barnes <rlb@ipv.sx>, public-webcrypto@w3.org, "public-webrtc@w3.org" <public-webrtc@w3.org>
On 23 December 2014 at 10:43, Ryan Sleevi <sleevi@google.com> wrote:
> - Undoes three years of hard work to design some semblance of security
> guarantees regarding what is usable and exposed.
> - Introduces unnecessary ontological confusion by attempting to overlay a
> high-level semantic onto the notion of keys that the WG *repeatedly* has
> rejected
> - attempts to redefine the charter and scope of a WG and its key deliverable

Ryan, I'm seeing a lot of very strong language[1], but I'm having
trouble understanding your objections.

Let's see if I can try to ask some simple questions for clarity.

If, as Richard proposes, you get a CryptoKey with a usage of 'webrtc',
and that isn't good for anything but WebRTC, what risk does this pose
to WebCrypto?  What security protections in particular does this
ignore or jeopardize?

--Martin

[1] Frankly, I'm shocked that you think this tone is acceptable.
Received on Tuesday, 23 December 2014 19:31:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:42 UTC