From W3C Wiki

Web Cryptography Working Group Charter

This document is under informal review

For informal discussion of the proposal, send comments and subscribe to (public archives).

The mission of this work is to define a high-level API providing common cryptographic primitives in a uniform manner on the Web platform. Use cases include securing high-value transactions, signing and verifying content, encrypting real-time communication, and improving the security of advanced protocols between web applications.

  • End date 30 December 2013
  • Confidentiality Proceedings are Public
  • Chairs @@ (@@)
  • Team Contacts Harry Halpin (FTE %: @@), @@

Usual Meeting Schedule Teleconferences: topic-specific calls may be held, normally weekly. Face-to-face: We will meet during the W3C's annual Technical Plenary week; other additional F2F meetings may be scheduled

1. Scope

The main deliverable of the Working Group will be an API that offers cryptography primitives to Web Application developers in order to implement secure application protocols, including message confidentiality and authentication services, based on secure storage of private keying material below the API.

The primary features in scope are key pair generation, encryption, decryption, digital signature generation and verification, hash/message digest algorithms, key transport/agreement algorithms, and key storage. In addition, the API should be asynchronous and must prevent external access to secret material. By default, key identifiers will be opaque.

Secondary features shall be derived from concrete use-cases - the definition of which shall form the initial part of the group's work. The following shall be considered: strong random number generation, control of session login/logout, extraction of keys from TLS sessions, destruction of temporary credentials, non-opaque key identifiers, multiple key containers, and information about the provenance of a key (such as whether it derived from a hardware or software container).

The following items are out of scope: information about the destination of a key, access control beyond enforcement of the same-origin policy, multi-key collections, advanced smartcard or other device-specific features, the management and validation of certificates.

The Web Cryptography Working Group should aim to produce specifications that have wide deployment amongst end-users, and so should work carefully with as many major implementers as possible. The Web Cryptography Working Group should adopt, refine and when needed, extend, existing practices and community-driven draft specifications when possible. The cryptography work should integrate well with Web Applications and so should be developed in concert with Web Application developers and the Web Application Security and HTML Working Groups. Comprehensive test suites will be developed for the specification to ensure interoperability, and the Working Group will assist in the production of interoperability reports.

1.1 Success Criteria

In order to advance to Proposed Recommendation, each specification is expected to have two independent implementations of each of feature defined in the specification.

2. Deliverables

2.1 Recommendation-Track Deliverables

The working group will deliver at least the following:

  • Cryptography API: Commonly-used cryptographic primitives should be made available to web application developers via a standardized API to facilitate common operations as detailed in the scoping section. This work can be based upon DOMCrypt, which has already been discussed in the W3C WebApps WG, HTML WG, and IETF Web Security WG.

Each specification must contain a section detailing any known security implications for implementors, Web authors, and end users. The Web Cryptography WG will actively seek an open security review.

These specifications should take advantage of existing platform and operating system cryptography libraries.

2.1 Other Deliverables

The Working Group will produce at least the following non-normative document:

  • Use-cases and Requirements: For each suggested new feature outside of the primary features given in the charter, a concrete use-case must be described which produces clearly defined requirements on the Recommendation-track work.

Additionally, the Web Cryptography Working Group has as a goal to improve the deployment of secure client-side interactions. This will be done via outreach and interaction with various communities who have clearly defined use-cases and requirements and review by the the larger security community. So other non-normative documents may be created such as:

  • Roadmap for future work
  • Test suites for each specification
  • Primer or Best Practice documents to support web developers when designing applications dealing with cryptography;

Milestones Note: The group will document significant changes from this initial schedule on the group home page. Specification FPWD LC CR PR Rec

Cryptography API December 2011 February 2012 July 2012 September 2012 November 2012

2.1 Milestones

The production of the deliverables depends upon the resources available, and will change as new information and implementation experience is reported to the group. The most up-to-date timeline is available from the Web WG Publication Status page.

3. Dependencies and Liaisons

  • Web Applications Working Group
  • WebAppSec Working Group
  • HTML Working Group

To re-use the generation of long random numbers and other possible fetaures.

  • Internationalization Technical Reports and Notes
  • QA Framework: Specification Guidelines

3.1 External Groups

The following is a tentative list of external bodies the Working Group should collaborate with:

  • Internet Engineering Task Force

The IETF is responsible for defining robust and secure protocols for Internet functionality. A clear relationship with IETF is vital to assure the security and success of elements of Web Cryptography that supervenes upon protocol-level work. Security reviews should involve participants from the IETF Security Area. In particular, the IETF's JavaScript Object Signing and Encryption (JOSE) Working Group is known to be a "customer" for this work, see

  • ECMA Technical Committee 39 (TC39)

This is the group responsible for ECMAScript standardization and related features. As the Web Cryptography Working Group may require additional features to ECMAScript, it should collaborate with TC39.

4. Participation

To be successful, the Web Cryptography Working Group is expected to have 10 or more active participants for its duration, and to have the participation of the industry leaders in fields relevant to the specifications it produces. The Chairs and specification Editors are expected to contribute one to two days per week towards the Working Group. There is no minimum requirement for other Participants.

The Web Cryptography Working Group will also allocate the necessary resources for building test suites for each specification.

The Web Cryptography Working Group welcomes participation from non-Members. The group encourages questions and comments on its public mailing lists, as described in Communication. As needed, the group may also call for joint teleconferences and meetings with related organizations in the field.

The group also welcomes non-Members to contribute technical submissions for consideration, with the agreement from each participant to Royalty-Free licensing of those submissions under the W3C Patent Policy. The Working Group may also call for the formation of Community Groups or work in other standards bodies such as the IETF.

5. Communication

Most Web Cryptography Working Group Teleconferences will focus on discussion of particular specifications, and will be conducted on an as-needed basis. At least one teleconference will be held per week.

Most of the technical work of the group will be done through discussions on one of the group's public mailing lists, for which there is no formal requirement for participation:

  • (archive) for general discussion

The group will use a Member-confidential mailing list for administrative purposes and, at the discretion of the Chairs and members of the group, for member-only discussions in special cases when a particular member requests such a discussion.

Information about the group (for example, details about deliverables, issues, actions, status, participants) will be available from the Web Cryptography Working Group home page.

6. Decision Policy

As explained in the W3C Process Document (section 3.3), this group will seek to make decisions when there is consensus and with due process. The expectation is that typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required. However, if a decision is necessary for timely progress, but consensus is not achieved after careful consideration of the range of views presented, the Chairs should put a question out for voting within the group (allowing for remote asynchronous participation -- using, for example, email and/or web-based survey techniques) and record a decision, along with any objections. The matter should then be considered resolved unless and until new information becomes available.

This charter is written in accordance with Section 3.4, Votes of the W3C Process Document and includes no voting procedures beyond what the Process Document requires.

7. Patent Policy

This Working Group operates under the W3C Patent Policy (5 February 2004 Version). To promote the widest adoption of Web standards, W3C seeks to issue Recommendations that can be implemented, according to this policy, on a Royalty-Free basis.

For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.

8. About this Charter

This charter for the Web Cryptography Working Group has been created according to section 6.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.

Harry Halpin, <>, Team Contact @@, <@@>, Team Contact @@, @@, Chair @@, @@, Chair Copyright© 2010 W3C® (MIT, ERCIM, Keio), All Rights Reserved.

$Date: 2011/09/19 22:35:38 $