The "X25519" algorithm provides tools to perform key agreement using the X25519 function specified in [RFC7748]. The "X25519" algorithm identifier can be used in the SubtleCrypto interface to access the implemented operations: * generateKey * importKey * exportKey * deriveKey * deriveBits
The feature is implemented in Safari and Firefox so the interoperability risk is low.
This feature depends on the underlying crypto APIs provided by the browser, which nowadays are provided by the BoringSSL compnent.
No activation risks are identified.
This feature doesn't imply additional security risks, beyond the ones defined in the Security Considerations of the Web Cryptography API specification. https://www.w3.org/TR/WebCryptoAPI/#security-considerations
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
The X25519 feature has good coverage by the WPT WebCryptpAPI test suite: https://wpt.fyi/results/WebCryptoAPI?label=experimental&label=master&aligned
Shipping on desktop | 133 |
Shipping on Android | 133 |
Shipping on WebView | 133 |
Shipping on iOS | 133 |
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
NoneContact emails
jfern...@igalia.com
Explainer
https://github.com/WICG/webcrypto-secure-curves/blob/main/explainer.md
Specification
https://wicg.github.io/webcrypto-secure-curves/#x25519
Design docs
https://docs.google.com/document/d/1fDTUY3HVAXehi-eSfbi7nxh8ZPw4MpSKM8U1fMdqJlU/edit?tab=t.0#heading=h.9w6b5q5ro96v
Summary
The "X25519" algorithm provides tools to perform key agreement using the X25519 function specified in [RFC7748]. The "X25519" algorithm identifier can be used in the SubtleCrypto interface to access the implemented operations: * generateKey * importKey * exportKey * deriveKey * deriveBits
Blink component
Blink>WebCrypto
Search tags
webcrypto
TAG review
https://github.com/w3ctag/design-reviews/issues/466
TAG review status
Issues addressed
Risks
Interoperability and Compatibility
The feature is implemented in Safari and Firefox so the interoperability risk is low.
Gecko: Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1904836)
WebKit: In development (https://bugs.webkit.org/show_bug.cgi?id=258279)
Web developers: No signals
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/577e4b0b-bc9c-4d7a-90a6-dbd25c3318b3%40igalia.com.
Hi Domenic,
On Fri, Nov 22, 2024 at 7:46 PM Javier Fernandez <jfern...@igalia.com> wrote:
Contact emails
jfern...@igalia.com
Explainer
https://github.com/WICG/webcrypto-secure-curves/blob/main/explainer.md
Specification
https://wicg.github.io/webcrypto-secure-curves/#x25519
Has there been any attempt to merge this into the main Web Crypto specification? It's best to avoid monkey patch specifications, and if this is indeed implemented in two browsers, that merger should be relatively easy.
Yes, there is a PR [1] that has been approved by Mozilla and
Apple, and we are waiting for someone from Chrome to follow. It
was also discussed in a WebAppSec WG meeting 2 months ago, when
some issues were identified; those were already addressed, so I
believe it's ready to be merged.
Web developers: No signalsWhy are we shipping this if no web developers are interested in using it?
Hi.
Javier, can you speak to whether there's web platform test coverage for the tricky issues that were discussed on the PR, e.g. the three listed in your last comment?
First of all, the PR is to merge both X25519 and Ed25519
algorithms. This intent is just for the X25519, since the Ed25519
is still not ready and needs more spec work. We all think that
this work can be done as part of the new Web Cryptography spec
draft.
The dertiveBits interop issue is the only one affecting the X25519 algorithm. There were already tests, but I have added a few more as part of bug fixes on the different browsers (mostly Firefox and Safari). I'm pretty sure we have good coverage on this issue already.
Let me use the email to clarify the other issues that were
identified as part of the PR discussion. Regarding the small-order
checks, I have added tests cases to cover the most important uses
of small-order points. We could add more if we want to be
exhaustive.
Finally, the random EdDSA signatures is still not clear enough to
define tests, IMHO. We had some in the past, which were useful to
detect the interop issue with WebKit. However, since WebKit
considers this feature mandatory, we have removed the tests that
checked for a deterministic signature. The Secure Curves spec
doesn't explicitly states that the signatures must be
deterministic; it just refers to the RFC8032 paper where the
Ed25519 signing algorithm is specified. The CFRG has discussed
this issue and they are considering to take on a -bis document to
modify the Ed25519 algorithm, but we reached a consensus in the PR
that we can merge the current text, registering the issues about
small-order points and randomized signatures, and work on them as
part of the Web Crypto spec draft.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/335cdfd2-11f3-49ac-8bf4-3ed5ad9bab03%40igalia.com.
LGTM3
Hi,
Thank you all for reviewing the request.
I just wanted to inform that the PR to add the X25519 and Ed25519 into the WebCrytpo specification has been merged already.
https://github.com/w3c/webcrypto/pull/362#issuecomment-2519927404
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/803669d3-8f1d-4fcf-af35-1c81db1fcf38%40igalia.com.