WG Future Work

From W3C Web Cryptography Wiki
Jump to: navigation, search

Rechartering Web Crypto WG

The discussion about rechartering the Web Crypto WG is happening on the Web Security IG.

Integration of Streams in Web Crypto API (lead by Aymeric Vitte)

Integration of new algorithms

  • SEED
  • New Named Curves

- curve25519 (description, deployment)--> please add implementers plan

- Brainpool curves ([http://tools.ietf.org/html/rfc5639 description, deployment unknown) --> please add implementers plan

- MSR curves (description, deployment unknown) --> please add implementers plan

Note : diving in curve names/definition, here is an interesting ressource discussing security merits, names and definitions of curves 'SafeCurves:choosing safe curves for elliptic-curve cryptography' [1]

Certificate management and usage (Lead by Sangrae & Mountie)

related wiki

certificate lifecycle management (issue/revoke/renew ...)

certificate validation with CRL/CRLDP/OCSP

reading certificate extensions with charset consideration

Retrieving multiple keys (lead by Michael H)

Dealing with hardware tokens, related to Web Crypto Next Workshop

A workshop was held on 10/11 Sept 2014 to discuss potential new features. The report is available here.

Potential new requirements from Web RTC (Lead by Richard B)

WebRTC communications are encrypted with keys negotiated using DTLS (using either SRTP or the DTLS for encryption). These keys are bound to user identities by way of identity assertions passed in SDP [draft-ietf-rtcweb-security-arch]. The challenge is that WebRTC apps want to be able to control what keys are used in the DTLS negotiation.

The overall concept is that the app will be able to impose a key on the DTLS session, using something like a setDtlsKey() method. The question is: Can WebRTC use WebCrypto Key objects to represent keys used for DTLS? It appears that the answer to this question is “yes”. The app/key separation provided by the WebCrypto API provides the layer of separation that is needed. However, the WebRTC layer needs some additional metadata about the key: -- Whether the key was ever accessible to JS -- Limitation of the key to usage with DTLS

The proposal is to add information to the WebCrypto Key object to encode these metadata.

Initial material exposing potential needs for special key for DTLS usage discussed during the Nov 2013 F2F meeting slides

Potential new requirements from Web Payment activty (Lead by Virginie G)

A W3C workshop will be organized in March 2014. New requirements may be expressed at this time. The Web Payment Interest Group was created in October 2014 (note : presentation related to Web Crypto WG & Web Payment IG is available here).