W3C Web Crypto, what’s next ?

lockWhere is Web Crypto ?

For the ones wondering if the Web Crypto is a dead topic in W3C, they should not worry anymore. The Web Crypto API is safe. It is still trying to define the primitives of cryptographic operations, to be integrated in all browsers, and it is still alive. What we mean by alive in W3C is that : it entered Last Call, and received a serious amount of great feedbacks, from smart reviewers and this is the good sign of interest. The dark side of having productive reviews is that it takes time to address all of them. That is why you have not heard about W3C Web Crypto API since the summer : editors Ryan Sleevi from Google and Mark Watson from Netflix are busy, with the Working Group to solve open bugs (see our bugzilla repository).

Yes, some bugs are more complex then others…

At the moment the Working Group is reviewing interesting items :

– Making sure the specification is extensible to integrate new algorithms or new type of algorithms (see related bug)

– Trying to find a way to include specific algorithms such as NUMS curves and 25519 curve (see related bug). That discussion is obviously related to the idea of specification extensibility. But those candidates are special in a way that some related discussions are happening in IETF. IETF is currently discussing the set of algorithms that will be recomended for next TLS version. We know that several candidates are running, and IETF and W3C should on that matter stay synchronized, nevertheless the sensitive aspect is that IETF is not scheduled to make decision before its next meeting, in early November.

Once those bugs will be resolved, with few other ones, we might be in a position to exit Last Call, lets say in September. This means that we could start moving toward Proposed Recommendation. Another great adventure…

Proposed Recommendation ? What does it mean ?

It means that W3C is calling for implementations, experiments, based on the specification as edited in its Last Call exit. That specification may embedd some feature at risk. Meaning some features that my be dropped after implementations demonstrated it is not reasonnable, technically viable or feasible. But this is where we will see implementations happening. The implementers will have to demonstrate their interoperability, that is why we will develop tests (note that a repository is already existing, we just need to fill it with smart and relevant tests). Several implementations have been referenced already in Chromium (see related issue), in Firefox (see related bugzilla) and pending in WebKit (see related bugzilla) and Internet Explorer (see IE11 preview announcement).

Those beginning of implementations on the browser side make that specification on good track to become an actual W3C recommendation, with associated prooducts. This should happen, lets say… in 2015 (standards are living in a timezone where milestones are barely predictive, but are supposed to follow a process, see W3C one)

Do we close the Working Group, after that ?

During the last 2 years, the Web Crypto WG has been addressing a variety of problem and features, some of them have been parked. That is why even if being in Last Call for the Web Crypto API, the working is already thinking about its next version. The discussion about prioritization of next web crypto API will happen during a 2 days workshop, held in Mountain View on the 10 and 11th of September. Two days for that topic may sound long, but it appears that the topic of cryptographic is also related to other key aspects such as usage of secure token, like hardware or trusted software are, or web authentication operation – where FIDO Alliance is currently working on, or again certificate management and in general linked to browser security. Gathering all actors having some interests in that topic will hopefully help W3C to identify realistic features to be added in the open web platform. The workshop will be quite crowded as 70 people coming from 47 companies, all discussions will be accurately minuted and a report will be issued. You may hear about it on that same blog…

Note : you can also read more about the Web Crypto API scope by reading an old post here : https://poulpita.com/2013/07/31/first-web-crypto-implementations-expecting-your-imagination-to-play-with/

2 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s