RE: [From Web Crypto to TAG] About Secure Origin from Domenic Denicola on 2014-11-08 (www-tag@w3.org from November 2014)

From: Domenic Denicola <d@domenic.me>
Date: Sat, 8 Nov 2014 13:41:10 +0000
To: Harald Alvestrand <hta@google.com>, Mark Nottingham <mnot@mnot.net>
CC: GALINDO Virginie <Virginie.GALINDO@gemalto.com>, "www-tag@w3.org" <www-tag@w3.org>, Harry Halpin <hhalpin@w3.org>, Wendy Seltzer <wseltzer@w3.org>, W3C Chairs <Chairs@w3.org>
Message-ID: <c7c36dbeb0494508b072e77c66d89c36@CY1PR0501MB1369.namprd05.prod.outlook.com>

It's important to note that in the case of WebRTC and geolocation the only reason there is even a question at all is because those APIs were unfortunately released without the secure origin restriction in the first place. If they were designed today, as Web Crypto is, they would most certainly have been restricted.

As such the discussions you reference were all about how to mitigate this historical mistake, e.g. by introducing a depracation period for insecure uses of those APIs before eventually transitioning to secure usage only. For new APIs like web crypto, I would hope that the working group would want to avoid this costly mistake.

More information on the WebRTC case at http://lists.w3.org/Archives/Public/public-media-capture/2014Oct/0256.html


From: Harald Alvestrand [mailto:hta@google.com] 
Sent: Friday, November 7, 2014 19:14
To: Mark Nottingham
Cc: GALINDO Virginie; www-tag@w3.org; Harry Halpin; Wendy Seltzer; W3C Chairs
Subject: Re: [From Web Crypto to TAG] About Secure Origin

The conclusion from the same discussion in WebRTC seemed to be:

- There is no consensus to restrict the API to "secure origins".
- There are pretty strong arguments that if informed consent exists at all, it exists in the WebRTC device access case.
- We would add more language on the particular issue.
- We agreed to tweak the text so that a browser restricting the API in this way will clearly still be conformant (so that browsers can choose to take this decision without reading a spec change).




On Thu, Nov 6, 2014 at 4:28 PM, Mark Nottingham <mnot@mnot.net> wrote:
Hi Virginie,

We had a discussion about this on the TAG call today (albeit with only a few participants), and there seemed to be agreement that the TAG should say something more formal about this... stay tuned.

Cheers,


> On 7 Nov 2014, at 1:35 am, GALINDO Virginie <Virginie.GALINDO@gemalto.com> wrote:
>
> Hello TAG (and W3C chairs, copied),
>
> I am contacting you as chair of the Web Crypto WG.
>
> Last week in TPAC, we have been addressing the question whether the Web Crypto API should be usable only with secure origin [1]. We have need encountering several problems while discussing, which were :
> -          Does the TAG recommends a specific strategy (I heard from informal discussion with Mark Nottingham no, I heard from Alex Russel, yes) ?
> -          Does the W3C has a common definition of  what is secure origin ?
> -          Is there any possible granularity to require secure origin (e.g. use secure origin only for specific feature in a specification, which usage is particularly sensitive)?
> -          What are the feedback from service eproviders on secure origin (we heard about Netflix, but what about the others) ?
> -          Is there any easy migration path for W3C (and browser makers) to issue specifications without requiring secure origin, and later moving to mandating it.
> FYI, in the end, we concluded that, provided the number of questions, provided the low interest of browser maker in the room to support secure origin, the fact that the web crypto is about to move to CR, we would not mandate the secure origin in the Web Crypto API.
>
> I believe that those questions could apply to any new sensitive feature currently under development in W3C. Without asking the TAG to solve all the secure origin related bugs raised in github/tracker/bugzilla W3C WG, I think that it would be highly productive if the TAG could centralize and publish information helping to solve questions above. This would help all  W3C WG to take the decision to endorse or not secure origin, based on a common level of understanding of what it is.
>
> Do you think this would be feasible in a short term ?
> (I let other chairs confirming if they need or not such common framework).
>
> Regards,
> Virginie
> Chair of web crypto WG
>
> [1] Web Crypto WG minutes, see discussion related to bug 25972 http://www.w3.org/2014/10/30-crypto-minutes.html#item04

>
> This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

--
Mark Nottingham   https://www.mnot.net/

Received on Saturday, 8 November 2014 13:41:45 UTC