This group discusses Web Crypto APIs for signing the message by the user certificate issuing from the certificate authority for SSL communications. It is based on http://html5.creation.net/webcrypto-api/
Note: Community Groups are proposed and run by the community. Although W3C hosts these conversations, the groups do not necessarily represent the views of the W3C Membership or staff.
Now many discussions are goning on scopes of Web Cryptography working group charter. I think many of use-cases in cryptography API focused in certificate authority service with personal certificates.
But, this is hard to consider another working group because of PKI based systems too. (Most of countries has own national CA system based on plug-in issuing personal certificate such as China, Japan, Spain and Brazil etc.) So I suggested adding parallel works for *Web Certificates (Service)
API* supporting these. We can add these as a scope including TLS/SSL based login/out with personal certificate and its management api(backup, restore)
and follow up HSM based certificate.
Especially in Firefox, the validation of security device based on FIPS is already possible. (Other browser?) I guess Web Certificate Service API is needed to treat this kind of interfaces in future. Anyway we have better focus on primitive APIs for light-weight usecases. Because all browsers have own key stroage. 🙂
Please give a comment for my suggestions:
The Web Cryptography Working Group should aim to produce specifications that have wide deployment amongst end-users, and so should work carefully with as many major implementers as possible. The Web Cryptography Working Group should adopt, refine and when needed, extend, existing practices and community-driven draft specifications when possible. The cryptography work should integrate well with Web Applications and so should be developed in concert with Web Application developers and the Web Application Security and HTML Working Groups. Comprehensive test suites will be developed for the specification to ensure interoperability, and the Working Group will assist in the production of interoperability reports.
I guess there are many missing things for key management and TLS based login/logout and HSM device based key handling etc.
The W3C has prepared Web Identity working group and make a draft charter. As following is main track for works.
Commonly-used cryptographic primitives should be made available to web application developers via a standardized API to facilitate common operations such as asymmetric encryption key pair generation, encryption, and generation, as well as symmetric encryption, hashing, and signature verification. This work can be based upon DOMCrypt, which has already been discussed in the W3C WebApps WG, HTML WG, and IETF Web Security WG.
Web Identity Sync
This specification should specify how web application developers can synchronize of identity information across multiple devices like browsers. Synchronization should also work in the “Cloud” to support legacy browsers. Anonymous identities (i.e. an “empty” identity) and multiple identities should be supported. When possible, commonly used data-formats should be re-used and the design should take advantage of existing work such as Mozilla Sync.
This specification should specify how web application developers access session-state information and authentication credentials to enable functionality such as easier sign-on to services. This API will build upon existing work such as the Verified Email and Session Description Protocols (BrowserID), BrowserAuth, and may optionally propose possible changes to HTML to the HTML WG as well as specify transfer of identity-related data.
Each specification must contain a section detailing any known security implications for implementors, Web authors, and end users. The Web Identity WG will actively seek an open security review on all its specifications.
To increase the convenience and security of deployment, these specifications may interact will take into account existing platform and operating system identity managers and so additional informative work in this area may be necessary.
This is Channy Yun, an invited expert of W3C HTML W/G and a community leader of Mozilla in Korea. I have been interested in cryptography and certificate services in browsers because Korean law has restricted online financial transactions by national PKI infrastructure since 2000. The lack of browser features made wide third party plug-in as like ActiveX controls to issue and validate personal certificate, make digital signature for transaction messages.
Over 15 million certificates are issued and renewed in every year in Korea. As a result, Korean people couldn’t choose other browsers not to be supported plugin by bank, shopping and governmental sites. It’s not only Korea but also many countries with national certificate authority such as European and south American countries too.
I have tried to suggest and discuss this topic in WHATWG, HTML w/g and Webapps W/G during several years. Please read as following in HTML W/G.
As you knows, Korea’s browser monoculture has prevented tech innovations and user’s choice. It was caused by wrong implementation of digital signature by Korean govenment’s the law and national PKI system. Its technique has been based on browser plugin as like Active X and Java applet, so it also made many security problems on user’s PC. Nowadays 15 million personal certificates were issued and they are used in e-banking, trading and governmental sites to valid user and transaction in Korea.
Similarly some of European countries also had national PKI system including Denmark, Spain and etc. Denmark’s system was opensourced, but it is also based on browser plugins. It were dominated by VeriSign most of commercial market as like private CA service with issuing personal certificate and transaction with digital signature.
Many countries want to national CA and offer their service to citizen with assurance by law. So I thought it needed browser-based web signing model by bad example of Korea.
I and some people suggested this issue to WHATWG because it was solved by browser vendors. Anders Rundgren also did own model of WASP – signing data in browser sessions and I did adding digital signature in >form< processing in HTML5.
Maybe this long history was recognized by leading people of this group. I don’t convince whether the activity of web signing profile was made by this purpose or not. But, it seems to integrate with digital signature and there is no action further.
As you know, the technology situation was very changed in time raising this issue. Ajax was born and there are many web applications based on open standards and Web APIs.
So I want for you to consider this issue in this working group with new baseline and for to browser vendors to join this issue quickly before many countries commit a fault as like Korea. Brower’s functions as like crypto.signText or IE’s CAPICOM dll were deprecated in right now. So it is essential making new standard and implementation them.
Some of people have suggested to make my own spec draft and discussed this with people. So I finished Web Crypto API spec in June 2010. This specification was the result of many discussions in W3C HTML5 and Web Applications Workging Group and many people helped to make this including Anders Rundgren, Lucas Adamski, Kai Engert, Bob Relyea, Amax Guan, Gen Kanai, Minkyu Shin, Dongsan Lee and Jungsik Shin.
Web Identity Working Group
During my work, fortunetely, Mozilla has been deeply interested in this topic as like identity, security and cryptography. So David Dahl made a DOMCrypt spec and implementation in Mozilla. Finally it resulted Web Identity working group and will be soon.
This group will support web cryptography, certificate service and identity in browsers and gather many people outside W3C. Please join us!