Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposed webcrypto scope addition #584

Merged
merged 1 commit into from
May 21, 2021
Merged

Proposed webcrypto scope addition #584

merged 1 commit into from
May 21, 2021

Conversation

wseltzer
Copy link
Member

Proposed: the WG may adopt well-supported proposals from incubation for maintenance of the Web Cryptography API.

Proposed: the WG may adopt well-supported proposals from incubation for maintenance of the <a href="https://www.w3.org/TR/2017/REC-WebCryptoAPI-20170126/">Web Cryptography API</a>.
@mikewest
Copy link
Member

I think this is reasonable, but I'd still appreciate @sideshowbarker's contact being a little more forthcoming with their agenda for the document up front, so we know what we're getting into. :)

@annevk
Copy link
Member

annevk commented May 17, 2021

Is this solely for the purpose of crypto.randomUUID() and maintenance or something else?

@mikewest
Copy link
Member

I've heard about adding that proposal, and ed25519. Both of those sound like reasonable additions that we could extend the charter to support.

It's not clear to me what else is floating around.

@sideshowbarker
Copy link
Member

I think this is reasonable, but I'd still appreciate @sideshowbarker's contact being a little more forthcoming with their agenda for the document up front, so we know what we're getting into. :)

I’ll ask Daniel to post a message to the mailing list today — but note that he did already to WebCrypto issue tracker —

w3c/webcrypto#249 (comment)

I'm Daniel Huigens, the crypto team lead at Proton, and lead maintainer of OpenPGP.js. I have quite a lot of experience working with the Web Crypto API, both from working at Proton and on OpenPGP.js but also previously. I don't have as much experience editing specifications, so please bear with me while I figure that part out :)

I volunteered as editor for the Web Crypto spec with the goal of making it possible for web developers to build more secure web apps. The most pressing need in the Web Crypto spec I see in that regard is to modernize the set of algorithms available. In particular, adding more secure curves, adding a more modern key derivation function, and adding a more modern AEAD construction come to mind.

On the flip side, I should also explicitly say that it's not my goal to add algorithms or features purely for compatibility reasons (and that extends to things that might be useful for Proton or OpenPGP.js equally as any other company or library). I'd much rather see everyone moving towards a more secure set of algorithms.

I'll make a special mention of w3c/webcrypto#73 (by far the most liked issue here) - while not strictly speaking related to improving the security, it prevents web apps from using the Web Crypto API if they have to deal with very large files, so it would be nice if we can make some progress there.

I plan to reach out to the browser vendors to see if we can align on this goal, and hopefully we can get some experimental implementations in the browsers and some new text in the spec together :)

@sideshowbarker
Copy link
Member

It's not clear to me what else is floating around.

Daniel has a pretty clear picture of all the open proposals, so I expect that as part of getting him in contact with the group, he can field questions about the proposals, and gather feedback about them — though I guess the best way to do that might be for him to direct people to relevant open issues in the issue tracker, where people could post comments with their questions and feedback.

@sideshowbarker
Copy link
Member

Note also that Daniel has already been writing up spec patches and doing PRs, and he’s looking to get some review help from one or more people with domain expertise in crypto stuff. @annevk has been reviewing, but as he notes in w3c/webcrypto#264 (review), we really need to also get somebody in to review who’s got some domain expertise.

Copy link
Member

@dveditz dveditz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks fine.

@samuelweiler samuelweiler merged commit 11125e4 into main May 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants