- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Fri, 7 Nov 2014 02:15:27 +0100
- To: GALINDO Virginie <Virginie.Galindo@gemalto.com>
- Cc: "www-tag@w3.org" <www-tag@w3.org>, Wendy Seltzer <wseltzer@w3.org>
- Message-ID: <CAKaEYhK_fCapac3f0vEGdsC2NGEMU4EO-Mbj+8Bjr5RUbsYC0A@mail.gmail.com>
On 6 November 2014 15:35, GALINDO Virginie <Virginie.Galindo@gemalto.com> wrote: > Hello TAG (and W3C chairs, copied), > > > > I am contacting you as chair of the Web Crypto WG. > > > > Last week in TPAC, we have been addressing the question whether the Web > Crypto API should be usable only with secure origin [1]. We have need > encountering several problems while discussing, which were : > > - Does the TAG recommends a specific strategy (I heard from > informal discussion with Mark Nottingham no, I heard from Alex Russel, yes) > ? > > - Does the W3C has a common definition of what is secure origin > ? > > - Is there any possible granularity to require secure origin > (e.g. use secure origin only for specific feature in a specification, which > usage is particularly sensitive)? > > - What are the feedback from service eproviders on secure origin > (we heard about Netflix, but what about the others) ? > > - Is there any easy migration path for W3C (and browser makers) > to issue specifications without requiring secure origin, and later moving > to mandating it. > > FYI, in the end, we concluded that, provided the number of questions, > provided the low interest of browser maker in the room to support secure > origin, the fact that the web crypto is about to move to CR, we would not > mandate the secure origin in the Web Crypto API. > FYI: some info on implementations here: http://caniuse.com/#feat=cryptography I believe web crypto is in the current firefox 33 ( go to about:config and turn dom.crypto.enabled = true ) in firefox 34 which I think ships this month it is enabled by default. My understanding from talking to the list last week is that chrome requires HTTPS but firefox does not. As a developer, I personally find it a plus to be given that choice. I can see the perspective of those that are concerned about exploits wrt key material. So, personally I'd say let implementers choose, rather than the spec. *Post is mainly informational, I have no affiliation with the TAG* > > > I believe that those questions could apply to any new sensitive feature > currently under development in W3C. Without asking the TAG to solve all the > secure origin related bugs raised in github/tracker/bugzilla W3C WG, I > think that it would be highly productive if the TAG could centralize and > publish information helping to solve questions above. This would help all > W3C WG to take the decision to endorse or not secure origin, based on a > common level of understanding of what it is. > > > > Do you think this would be feasible in a short term ? > > (I let other chairs confirming if they need or not such common framework). > > > > Regards, > > Virginie > > Chair of web crypto WG > > > > [1] Web Crypto WG minutes, see discussion related to bug 25972 > http://www.w3.org/2014/10/30-crypto-minutes.html#item04 > > > ------------------------------ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus. >
Received on Friday, 7 November 2014 01:15:56 UTC