Why Web Crypto API?
Posted on:This is Channy Yun, an invited expert of W3C HTML W/G and a community leader of Mozilla in Korea. I have been interested in cryptography and certificate services in browsers because Korean law has restricted online financial transactions by national PKI infrastructure since 2000. The lack of browser features made wide third party plug-in as like ActiveX controls to issue and validate personal certificate, make digital signature for transaction messages.
Over 15 million certificates are issued and renewed in every year in Korea. As a result, Korean people couldn’t choose other browsers not to be supported plugin by bank, shopping and governmental sites. It’s not only Korea but also many countries with national certificate authority such as European and south American countries too.
- the cost of monoculture by Gen Kanai, 2007
- Korean Home-brew on the Web by Channy Yun, 2007
I have tried to suggest and discuss this topic in WHATWG, HTML w/g and Webapps W/G during several years. Please read as following in HTML W/G.
Motivation
As you knows, Korea’s browser monoculture has prevented tech innovations and user’s choice. It was caused by wrong implementation of digital signature by Korean govenment’s the law and national PKI system. Its technique has been based on browser plugin as like Active X and Java applet, so it also made many security problems on user’s PC. Nowadays 15 million personal certificates were issued and they are used in e-banking, trading and governmental sites to valid user and transaction in Korea.
Similarly some of European countries also had national PKI system including Denmark, Spain and etc. Denmark’s system was opensourced, but it is also based on browser plugins. It were dominated by VeriSign most of commercial market as like private CA service with issuing personal certificate and transaction with digital signature.
Many countries want to national CA and offer their service to citizen with assurance by law[4]. So I thought it needed browser-based web signing model by bad example of Korea.
History
I and some people suggested this issue to WHATWG because it was solved by browser vendors. Anders Rundgren also did own model of WASP – signing data in browser sessions and I did adding digital signature in >form< processing in HTML5.
As following is history of this issue.
- http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-September/thread.html#7246
- http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-October/thread.html#7573
- http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-November/thread.html#7592
- http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/015513.html
- http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-July/thread.html#15522
- http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-March/thread.html#18919
Ian recommended us to continue this discussion in Webapps W/G. Andres
also has tried another efforts to solve issues in financial technical group.
Rebuilding of web signing
Maybe this long history was recognized by leading people of this group. I don’t convince whether the activity of web signing profile was made by this purpose or not. But, it seems to integrate with digital signature and there is no action further.
As you know, the technology situation was very changed in time raising this issue. Ajax was born and there are many web applications based on open standards and Web APIs.
So I want for you to consider this issue in this working group with new baseline and for to browser vendors to join this issue quickly before many countries commit a fault as like Korea. Brower’s functions as like crypto.signText or IE’s CAPICOM dll were deprecated in right now. So it is essential making new standard and implementation them.
Some of people have suggested to make my own spec draft and discussed this with people. So I finished Web Crypto API spec in June 2010. This specification was the result of many discussions in W3C HTML5 and Web Applications Workging Group and many people helped to make this including Anders Rundgren, Lucas Adamski, Kai Engert, Bob Relyea, Amax Guan, Gen Kanai, Minkyu Shin, Dongsan Lee and Jungsik Shin.
Web Identity Working Group
During my work, fortunetely, Mozilla has been deeply interested in this topic as like identity, security and cryptography. So David Dahl made a DOMCrypt spec and implementation in Mozilla. Finally it resulted Web Identity working group and will be soon.
This group will support web cryptography, certificate service and identity in browsers and gather many people outside W3C. Please join us!