Re: [From Web Crypto to TAG] About Secure Origin

On 6 November 2014 15:35, GALINDO Virginie <Virginie.Galindo@gemalto.com>
wrote:

>  Hello TAG (and W3C chairs, copied),
>
>
>
> I am contacting you as chair of the Web Crypto WG.
>
>
>
> Last week in TPAC, we have been addressing the question whether the Web
> Crypto API should be usable only with secure origin [1]. We have need
> encountering several problems while discussing, which were :
>
> -          Does the TAG recommends a specific strategy (I heard from
> informal discussion with Mark Nottingham no, I heard from Alex Russel, yes)
> ?
>
> -          Does the W3C has a common definition of  what is secure origin
> ?
>
> -          Is there any possible granularity to require secure origin
> (e.g. use secure origin only for specific feature in a specification, which
> usage is particularly sensitive)?
>
> -          What are the feedback from service eproviders on secure origin
> (we heard about Netflix, but what about the others) ?
>
> -          Is there any easy migration path for W3C (and browser makers)
> to issue specifications without requiring secure origin, and later moving
> to mandating it.
>
> FYI, in the end, we concluded that, provided the number of questions,
> provided the low interest of browser maker in the room to support secure
> origin, the fact that the web crypto is about to move to CR, we would not
> mandate the secure origin in the Web Crypto API.
>

FYI: some info on implementations here:

http://caniuse.com/#feat=cryptography

I believe web crypto is in the current firefox 33 ( go to about:config and
turn dom.crypto.enabled = true ) in firefox 34 which I think ships this
month it is enabled by default.

My understanding from talking to the list last week is that chrome requires
HTTPS but firefox does not.

As a developer, I personally find it a plus to be given that choice.  I can
see the perspective of those that are concerned about exploits wrt key
material.  So, personally I'd say let implementers choose, rather than the
spec.

*Post is mainly informational, I have no affiliation with the TAG*


>
>
> I believe that those questions could apply to any new sensitive feature
> currently under development in W3C. Without asking the TAG to solve all the
> secure origin related bugs raised in github/tracker/bugzilla W3C WG, I
> think that it would be highly productive if the TAG could centralize and
> publish information helping to solve questions above. This would help all
>  W3C WG to take the decision to endorse or not secure origin, based on a
> common level of understanding of what it is.
>
>
>
> Do you think this would be feasible in a short term ?
>
> (I let other chairs confirming if they need or not such common framework).
>
>
>
> Regards,
>
> Virginie
>
> Chair of web crypto WG
>
>
>
> [1] Web Crypto WG minutes, see discussion related to bug 25972
> http://www.w3.org/2014/10/30-crypto-minutes.html#item04
>
>
>  ------------------------------
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
>

Received on Friday, 7 November 2014 01:15:56 UTC