SlideShare a Scribd company logo
The History and Status of
Web Cryptography API


                  Channy Yun
                 Mozilla Korean Community
                 http://www.mozilla.or.kr
About me
• Before Daum
  – 1997~2004 E-Commerce
     • Reference: SK MusicOK, iMusicLand and YBM Tutti etc.
  – 1999~2004 Payment Gateway
     • Mypay.net, an integrated payment for SOHO business
  – 2001~2004 Certificate Business
     • Thawte.co.kr, an authorized Reseller of Thawte and Verisign Japan

• In Daum
  – 2004~ Web Standards Evangelist
     • Mozilla Korean Community, Leader (2002-)
     • W3C HTML W/G, Invited Expert(2007-)
     • W3C Web Crypto API Community Group, Chair (2011-)
     • W3C WebCryptography W/G, Invited Expert (2012-)
Agenda
• History
  – Legacy: crypto.signText and CAPICOM
  – History: XML Signature

• HTML5: from document to application
  – Crypto in HTML W/G
  – Draft: Web Crypto API

• Raising Web Identity
  – Web Identity and BrowserID

• Web Cryptography API
  – Public key encryption, signing message and decryption.
  – Use cases and key isolations

• Future plan
Legacy: crypto.signText and CAPICOM
History: XML Signature
• W3C XML Signature Syntax and Processing
     • http://www.w3.org/TR/xmldsig-core
     • From 2000, based on web services bubble
     • Issues on XML Canonicalization and performance in SOA applications,
       lacks of web based use cases


• Web Activated Signature Protocol
     • http://webpki.org
     • From 2006, Based on XML signature proposed by Anders Rundgren
     • Issues on deprecated XML signature and lacks of primitive functions
       such as Javascript APIs
From Document to Application

1995    2000           2005           2010




               Web Hypertext Application
                Technology Working Group
Return to W3C - HTML5 Era
Range of HTML5




                              HTML5 Buzz Word                     CSS3
    Geolocation

                        Canvas      HTML5         Offline
                                                                  WebRTC

   Web Workers
                                                                 Device API
                         Web Form            Markup
      File API
                                  Video&Audio                   Web Sockets
       WebGL

          Server-Sent         Indexed
                                           XMLHttpRequest   DOM Storage
            Events          Database API
Crypto in W3C HTML W/G
• Simple Keygen
     • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-
       April/019206.html
     • http://www.w3.org/TR/html-markup/keygen.html
     • Integrates tightly with the form submission model
     • Issues on Microsoft has no intention of ever implementing the <keygen>
       element. (Crypto part was changed “optional”)
• Simple form signing
     • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006-
       October/007571.html
     • Strict form submission for crypto.signText
        <form action="sendMoney" stricted>
         <input type="text" name="dollars" value="3.00" signed="signed">
         <input type="text" name="account" values="1234567890">
         <input type="submit" value="Sending Money!">
        </form>
Draft: Web Crypto API




   • http://html5.creation.net/webcrypto-api/
   • Focused on certificate services, but issues on identity
Raising Web Identity
• Identity Crisis
     • Dead of OpenID and widely usages of OAuth
     • Lock-in social web giants (Facebook, Twitter)
     • Needs of self-managed distributed Identity system


• BrowserID and DOM Crypt                     (2011.5)
     • Mozilla’s new identity policy
     • http://identity.mozilla.com/post/7616727542/introducing-
       browserid-a-better-way-to-sign-in
     • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-
       May/031741.html
c.f. Comparison of Identity
Proposal of Web Identity W/G
• http://www.w3.org/2011/08/webidentity-charter.html
   – Cryptography API
       • Commonly-used cryptographic primitives should be made available to web application developers via a standardized API
         to facilitate common operations such as asymmetric encryption key pair generation, encryption, and generation, as well
         as symmetric encryption, hashing, and signature verification. This work can be based upon DOMCrypt, which has already
         been discussed in the W3C WebApps WG, HTML WG, and IETF Web Security WG.

   – Web Identity Sync
       • This specification should specify how web application developers can synchronize of identity information across
         multiple devices like browsers. Synchronization should also work in the "Cloud" to support legacy browsers. Anonymous
         identities (i.e. an "empty" identity) and multiple identities should be supported. When possible, commonly used data-
         formats should be re-used and the design should take advantage of existing work such as Mozilla Sync.

   – Identity API
       • This specification should specify how web application developers access session-state information and authentication
         credentials to enable functionality such as easier sign-on to services. This API will build upon existing work such as the
         Verified Email and Session Description Protocols (BrowserID), BrowserAuth, and may optionally propose possible
         changes to HTML to the HTML WG as well as specify transfer of identity-related data.


• WebCrypto API Community Group
       • http://www.w3.org/community/webcryptoapi
       • http://www.w3.org/community/webcryptoapi/2011/09/15/why-web-crypto-api/
       • Helping W3C Standards for cryptography and certificate services.
Web Cryptography W/G
• http://www.w3.org/2011/11/webcryptography-charter.html

•   Primary API Features in scope are:
     –   key generation, encryption, decryption, deletion, digital signature generation and
         verification, hash/message authentication codes, key transport/agreement, strong
         random number generation, key derivation functions, and key storage and control
         beyond the lifetime of a single session. In addition, the API should be asynchronous and
         must prevent or control access to secret key material and other sensitive cryptographic
         values and settings. Encryption and decryption include both symmetric and asymmetric
         cryptography.
•   Secondary API Features that may be in scope are:
     –   control of TLS session login/logout, derivation of keys from TLS sessions, a simplified
         data protection function, multiple key containers, key import/export, a common method
         for accessing and defining properties of keys, and the lifecycle control of credentials such
         enrollment, selection, and revocation of credentials with a focus enabling the selection of
         certificates for signing and encryption.
•   Out of scope:
     –   features including special handling directly for non-opaque key identification schemes,
         access-control mechanisms beyond the enforcement of the same-origin policy, and
         functions in the API that require smartcard or other device-specific behavior.
Web Cryptography API




   http://www.w3.org/2012/webcrypto/WebCryptoAPI/
• Basic
  – Hash




  – Mac




  – Random Number
     • window.crypto.getRandomValues
     • https://dvcs.w3.org/hg/domcrypt/raw-file/tip/Overview.html
• Public Key Encryption




• Encrypt and sign message
• Decrypt a received blob




• Sign and verify
• Major Functions
  – Signature, MAC, Public Key Encryption, Symmetric
    Encryption and Hash

• Requirements
  –   a standard, cross-browser API
  –   the speed of native crypto implementation
  –   the security of isolating the keys from JavaScript code
  –   persistent key storage and access to system cert/key

• Use Cases
  – http://www.w3.org/wiki/NetflixWebCryptoUseCase
  – http://www.w3.org/wiki/KoreaWebCryptoUseCase
Collecting use cases
• Primary features
        • Secure messaging
        • Encrypted web applications
        • Storing local storage
        • Encrypted bill
        • Client authentications
• Secondary features
        • Financial Transaction: Online bank
        • Credit card process
        • SSL VPN
        • Handling S/MIME mail
        • Handling XML Encryption

•   http://www.w3.org/community/webcryptoapi/wiki/Use_Cases
Key isolations proposed by Ryan Sleevi
• Origin-bound:
   – generated via .generateKey() bound to a single origin with short-lived (session
     cookie style?)
       • Use case: DHE/ECDHE/PAKE key agreement for opportunistic encryption of chat over Websockets,
         where the intermediary is not trusted.
       • Use case: Perhaps some binding of a user login/cookie data to some encrypted context. The key is only
         as useful as long as the cookie lives, and vice-versa.
• Persistent:
   – effectively super-cookie that might apply to cookies/cache/other data.
       • Use case: "identity key" with a service might be used for mail signing, HTML5 file storage, online chat,
         etc. single origin or shared with multiple origins
             –   Keys may be stored in software (managed by the UA), in the OS or some global key store (making them available to other
                 applications beyond the UA), in "the cloud" as part of some sync service, or even stored on another device such as TPM or
                 smart card.
       • Use Case: For embedders (such as Netflix), for purchase USB TPMs
• High Value:
   – a strong correlation to certain high value transactions - particularly where
     force of law is involved. Unlike the above 'persistent' keys, HVKs are strongly
     correlated to identity, and may reflect government or financial services
     issuance.
       • Use Case: Signing a legal document - tax forms, contract, performing 'sensitive' transactions (bank
         transaction confirmation, etc)
Future Plan
• Secondary API spec
  – aka. Web Certificate Service API
  – TLS login/out, key management including
    import/export and signing/verification
  – Discussions for smartcard and USB token


• Get started
  – Join W3C WebCryptography W/G
     • http://lists.w3.org/Archives/Public/public-webcrypto/
  – Join W3C WebCrypto API Community Group
     • http://www.w3.org/community/webcryptoapi/
References in Korean
1.   액티브X 없이 공인인증서 쓴다
     http://www.zdnet.co.kr/news/news_view.asp?artice_id=2
     0120323121226
2.   공인인증서 액티브X와 결별하려면
     http://www.zdnet.co.kr/news/news_view.asp?artice_id=2
     0120329124248
3.   전자서명 웹 표준화 안되나?
     http://channy.creation.net/blog/884
4.   ActiveX 걷어낼 웹표준 만든다
     http://blog.creation.net/519
5.   WebCrypto API의 현재와 미래
     http://channy.creation.net/blog/884
Thanks for listening: Q&A
       Channy Yun
       Twitter: @channyun

       E-mail: channy@mozilla.or.kr
       Blog: http://channy.creation.net

More Related Content

What's hot

Web Development - Lecture 1
Web Development - Lecture 1Web Development - Lecture 1
Web Development - Lecture 1
Syed Shahzaib Sohail
 
HTML5 표준 소개
HTML5 표준 소개HTML5 표준 소개
HTML5 표준 소개
Chris
 
HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web Development
Tilak Joshi
 
Introduction to eXo ECM Suite
Introduction to eXo ECM SuiteIntroduction to eXo ECM Suite
Introduction to eXo ECM Suite
Tugdual Grall
 
OUGF OSGi/Flex
OUGF OSGi/FlexOUGF OSGi/Flex
OUGF OSGi/Flex
François Fornaciari
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and more
Yan Shi
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
Garuda Trainings
 
Sencha touchonbb10 bootcamp
Sencha touchonbb10 bootcampSencha touchonbb10 bootcamp
Sencha touchonbb10 bootcamp
n_adam_stanley
 
HTML5 and web platform
HTML5 and web platformHTML5 and web platform
HTML5 and web platform
dynamis
 
Adaptive Web Design Workshop [inspire 2011]
Adaptive Web Design Workshop [inspire 2011]Adaptive Web Design Workshop [inspire 2011]
Adaptive Web Design Workshop [inspire 2011]
Aaron Gustafson
 
HTML5 and Browsers
HTML5 and BrowsersHTML5 and Browsers
HTML5 and Browsers
dynamis
 
Web 2.0 and ASP.NET Ajax
Web 2.0 and ASP.NET AjaxWeb 2.0 and ASP.NET Ajax
Web 2.0 and ASP.NET Ajax
sudhakar
 
Open Source Conference 2010 福岡 W3C/Keio 講演 ウェブ技術の現状と将来
Open Source Conference 2010 福岡 W3C/Keio 講演 ウェブ技術の現状と将来Open Source Conference 2010 福岡 W3C/Keio 講演 ウェブ技術の現状と将来
Open Source Conference 2010 福岡 W3C/Keio 講演 ウェブ技術の現状と将来
Rikkyo University
 
Developing Applications with Nokia WRT
Developing Applications with Nokia WRTDeveloping Applications with Nokia WRT
Developing Applications with Nokia WRT
Prashanth GN
 
Html5
Html5Html5
Html5
mikusuraj
 
Html5 on Mobile(For Developer)
Html5 on Mobile(For Developer)Html5 on Mobile(For Developer)
Html5 on Mobile(For Developer)
Adam Lu
 
Adaptive Web Design Workshop [Iceweb 2011]
Adaptive Web Design Workshop [Iceweb 2011]Adaptive Web Design Workshop [Iceweb 2011]
Adaptive Web Design Workshop [Iceweb 2011]
Aaron Gustafson
 
Web 2.0
Web 2.0Web 2.0

What's hot (18)

Web Development - Lecture 1
Web Development - Lecture 1Web Development - Lecture 1
Web Development - Lecture 1
 
HTML5 표준 소개
HTML5 표준 소개HTML5 표준 소개
HTML5 표준 소개
 
HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web DevelopmentHTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web Development
 
Introduction to eXo ECM Suite
Introduction to eXo ECM SuiteIntroduction to eXo ECM Suite
Introduction to eXo ECM Suite
 
OUGF OSGi/Flex
OUGF OSGi/FlexOUGF OSGi/Flex
OUGF OSGi/Flex
 
Web Apps and more
Web Apps and moreWeb Apps and more
Web Apps and more
 
Dot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement onlineDot net Online Training | .Net Training and Placement online
Dot net Online Training | .Net Training and Placement online
 
Sencha touchonbb10 bootcamp
Sencha touchonbb10 bootcampSencha touchonbb10 bootcamp
Sencha touchonbb10 bootcamp
 
HTML5 and web platform
HTML5 and web platformHTML5 and web platform
HTML5 and web platform
 
Adaptive Web Design Workshop [inspire 2011]
Adaptive Web Design Workshop [inspire 2011]Adaptive Web Design Workshop [inspire 2011]
Adaptive Web Design Workshop [inspire 2011]
 
HTML5 and Browsers
HTML5 and BrowsersHTML5 and Browsers
HTML5 and Browsers
 
Web 2.0 and ASP.NET Ajax
Web 2.0 and ASP.NET AjaxWeb 2.0 and ASP.NET Ajax
Web 2.0 and ASP.NET Ajax
 
Open Source Conference 2010 福岡 W3C/Keio 講演 ウェブ技術の現状と将来
Open Source Conference 2010 福岡 W3C/Keio 講演 ウェブ技術の現状と将来Open Source Conference 2010 福岡 W3C/Keio 講演 ウェブ技術の現状と将来
Open Source Conference 2010 福岡 W3C/Keio 講演 ウェブ技術の現状と将来
 
Developing Applications with Nokia WRT
Developing Applications with Nokia WRTDeveloping Applications with Nokia WRT
Developing Applications with Nokia WRT
 
Html5
Html5Html5
Html5
 
Html5 on Mobile(For Developer)
Html5 on Mobile(For Developer)Html5 on Mobile(For Developer)
Html5 on Mobile(For Developer)
 
Adaptive Web Design Workshop [Iceweb 2011]
Adaptive Web Design Workshop [Iceweb 2011]Adaptive Web Design Workshop [Iceweb 2011]
Adaptive Web Design Workshop [Iceweb 2011]
 
Web 2.0
Web 2.0Web 2.0
Web 2.0
 

Similar to The History and Status of Web Crypto API (2012)

HTML5 Programming
HTML5 ProgrammingHTML5 Programming
HTML5 Programming
hotrannam
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
Christian Posta
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
Arnaud Le Hors
 
Internet of Things and Edge Compute at Chick-fil-A
Internet of Things and Edge Compute at Chick-fil-AInternet of Things and Edge Compute at Chick-fil-A
Internet of Things and Edge Compute at Chick-fil-A
Brian Chambers
 
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SFWebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
Frank Greco
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
chuckbt
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
HTML5 and CSS3 refresher
HTML5 and CSS3 refresherHTML5 and CSS3 refresher
HTML5 and CSS3 refresher
Ivano Malavolta
 
WebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the FutureWebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the Future
Frank Greco
 
20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料 20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料
オラクルエンジニア通信
 
Wwc developing hyperledger applications v4
Wwc  developing hyperledger applications v4Wwc  developing hyperledger applications v4
Wwc developing hyperledger applications v4
LennartF
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
Sanjeev Verma, PhD
 
Oracle Blockchain Experience Day
Oracle Blockchain Experience DayOracle Blockchain Experience Day
Oracle Blockchain Experience Day
Juarez Junior
 
2015 5-7-slide
2015 5-7-slide2015 5-7-slide
2015 5-7-slide
Syuhei Hiya
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protection
Austina Francis
 
What's new in web standards?
What's new in web standards?What's new in web standards?
What's new in web standards?
Daniel Appelquist
 
HTML5: An Overview
HTML5: An OverviewHTML5: An Overview
HTML5: An Overview
Nagendra Um
 
[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration Microservices
[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration Microservices[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration Microservices
[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration Microservices
WSO2
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016  ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
ForgeRock
 

Similar to The History and Status of Web Crypto API (2012) (20)

HTML5 Programming
HTML5 ProgrammingHTML5 Programming
HTML5 Programming
 
API Gateways are going through an identity crisis
API Gateways are going through an identity crisisAPI Gateways are going through an identity crisis
API Gateways are going through an identity crisis
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
 
Internet of Things and Edge Compute at Chick-fil-A
Internet of Things and Edge Compute at Chick-fil-AInternet of Things and Edge Compute at Chick-fil-A
Internet of Things and Edge Compute at Chick-fil-A
 
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SFWebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
WebSocket Perspectives and Vision for the Future - HTML5DevConf Oct 2013 SF
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Evolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser SecurityEvolution Of The Web Platform & Browser Security
Evolution Of The Web Platform & Browser Security
 
HTML5 and CSS3 refresher
HTML5 and CSS3 refresherHTML5 and CSS3 refresher
HTML5 and CSS3 refresher
 
WebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the FutureWebSocket Perspectives and Vision for the Future
WebSocket Perspectives and Vision for the Future
 
20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料 20190404 Blockchain GIG #2 Oracle Mark発表資料
20190404 Blockchain GIG #2 Oracle Mark発表資料
 
Wwc developing hyperledger applications v4
Wwc  developing hyperledger applications v4Wwc  developing hyperledger applications v4
Wwc developing hyperledger applications v4
 
Basics of the Web Platform
Basics of the Web PlatformBasics of the Web Platform
Basics of the Web Platform
 
Oracle Blockchain Experience Day
Oracle Blockchain Experience DayOracle Blockchain Experience Day
Oracle Blockchain Experience Day
 
2015 5-7-slide
2015 5-7-slide2015 5-7-slide
2015 5-7-slide
 
Www architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protectionWww architecture,cgi, client server security, protection
Www architecture,cgi, client server security, protection
 
What's new in web standards?
What's new in web standards?What's new in web standards?
What's new in web standards?
 
HTML5: An Overview
HTML5: An OverviewHTML5: An Overview
HTML5: An Overview
 
[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration Microservices
[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration Microservices[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration Microservices
[WSO2Con EU 2017] Microservice Architecture (MSA) and Integration Microservices
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016  ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
 

More from Channy Yun

Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)
Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)
Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)
Channy Yun
 
인공지능이 이끌어가는 아마존의 리테일 혁신 - 윤석찬 (AWS) :: 메조미디어 옥토콘(OCTOCON) 2019
인공지능이 이끌어가는 아마존의 리테일 혁신 - 윤석찬 (AWS) :: 메조미디어 옥토콘(OCTOCON) 2019인공지능이 이끌어가는 아마존의 리테일 혁신 - 윤석찬 (AWS) :: 메조미디어 옥토콘(OCTOCON) 2019
인공지능이 이끌어가는 아마존의 리테일 혁신 - 윤석찬 (AWS) :: 메조미디어 옥토콘(OCTOCON) 2019
Channy Yun
 
Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트
Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트 Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트
Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트
Channy Yun
 
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Channy Yun
 
ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...
ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...
ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...
Channy Yun
 
How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...
How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...
How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...
Channy Yun
 
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
Channy Yun
 
Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) ::  한국 카오스엔지니어링 밋업Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) ::  한국 카오스엔지니어링 밋업
Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Channy Yun
 
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) ::  한국 카오스엔지니어링 밋업Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) ::  한국 카오스엔지니어링 밋업
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Channy Yun
 
한국 웹20주년 기념 소책자
한국 웹20주년 기념 소책자한국 웹20주년 기념 소책자
한국 웹20주년 기념 소책자
Channy Yun
 
차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)
차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)
차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)
Channy Yun
 
클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013)
클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013) 클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013)
클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013)
Channy Yun
 
Channy의 좌충우돌 스타트업 경험기 - 나인포유
Channy의 좌충우돌 스타트업 경험기 - 나인포유Channy의 좌충우돌 스타트업 경험기 - 나인포유
Channy의 좌충우돌 스타트업 경험기 - 나인포유
Channy Yun
 
Microservices architecture examples
Microservices architecture examplesMicroservices architecture examples
Microservices architecture examples
Channy Yun
 
글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)
글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)
글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)
Channy Yun
 
빅데이터 기술 현황과 시장 전망(2014)
빅데이터 기술 현황과 시장 전망(2014)빅데이터 기술 현황과 시장 전망(2014)
빅데이터 기술 현황과 시장 전망(2014)
Channy Yun
 
공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)
공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)
공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)
Channy Yun
 
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Channy Yun
 
Webware - from Document to Operating System
Webware - from Document to Operating System Webware - from Document to Operating System
Webware - from Document to Operating System
Channy Yun
 
Daum APIs: A to Z - API Meetup 2014
Daum APIs: A to Z  - API Meetup 2014Daum APIs: A to Z  - API Meetup 2014
Daum APIs: A to Z - API Meetup 2014Channy Yun
 

More from Channy Yun (20)

Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)
Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)
Chaos Engineering을 위한 최신 도구 업데이트 - 윤석찬 (AWS 테크에반젤리스트)
 
인공지능이 이끌어가는 아마존의 리테일 혁신 - 윤석찬 (AWS) :: 메조미디어 옥토콘(OCTOCON) 2019
인공지능이 이끌어가는 아마존의 리테일 혁신 - 윤석찬 (AWS) :: 메조미디어 옥토콘(OCTOCON) 2019인공지능이 이끌어가는 아마존의 리테일 혁신 - 윤석찬 (AWS) :: 메조미디어 옥토콘(OCTOCON) 2019
인공지능이 이끌어가는 아마존의 리테일 혁신 - 윤석찬 (AWS) :: 메조미디어 옥토콘(OCTOCON) 2019
 
Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트
Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트 Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트
Chaos Engineering on Microservices - 윤석찬, AWS 테크에반젤리스트
 
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트) Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
Kubernates를 위한 Chaos Engineering in Action :: 윤석찬 (AWS 테크에반젤리스트)
 
ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...
ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...
ICGIS 2018 - Cloud-powered Machine Learnings on Geospactial Services (Channy ...
 
How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...
How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...
How to Measure DevRel's Perfomances: From Community to Business - Channy Yun ...
 
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
KubeMonkey를 통한 Chaos Engineering 실전 운영하기 - 윤석찬 (AWS 테크에반젤리스트)
 
Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) ::  한국 카오스엔지니어링 밋업Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) ::  한국 카오스엔지니어링 밋업
Game Day in Action for Chaos Engineering - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
 
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) ::  한국 카오스엔지니어링 밋업Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) ::  한국 카오스엔지니어링 밋업
Chaos Engineering 시작하기 - 윤석찬 (AWS 테크에반젤리스트) :: 한국 카오스엔지니어링 밋업
 
한국 웹20주년 기념 소책자
한국 웹20주년 기념 소책자한국 웹20주년 기념 소책자
한국 웹20주년 기념 소책자
 
차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)
차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)
차니의 IT 이야기 #2- 개발자 경력 관리 조언 (윤석찬)
 
클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013)
클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013) 클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013)
클라우드 컴퓨팅과 Daum의 사례- 윤석찬 (KREN 연구 협력 포럼, 2013)
 
Channy의 좌충우돌 스타트업 경험기 - 나인포유
Channy의 좌충우돌 스타트업 경험기 - 나인포유Channy의 좌충우돌 스타트업 경험기 - 나인포유
Channy의 좌충우돌 스타트업 경험기 - 나인포유
 
Microservices architecture examples
Microservices architecture examplesMicroservices architecture examples
Microservices architecture examples
 
글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)
글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)
글로벌 지도 API 서비스 현황과 미래 - 한국지리정보학회 (2014)
 
빅데이터 기술 현황과 시장 전망(2014)
빅데이터 기술 현황과 시장 전망(2014)빅데이터 기술 현황과 시장 전망(2014)
빅데이터 기술 현황과 시장 전망(2014)
 
공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)
공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)
공공 데이터 활용 방법론 - 오픈 API 기술 및 동향 (KRNET 2014)
 
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
Mozilla Firefox OS, its Technical Platform and Future - ISET 2014
 
Webware - from Document to Operating System
Webware - from Document to Operating System Webware - from Document to Operating System
Webware - from Document to Operating System
 
Daum APIs: A to Z - API Meetup 2014
Daum APIs: A to Z  - API Meetup 2014Daum APIs: A to Z  - API Meetup 2014
Daum APIs: A to Z - API Meetup 2014
 

Recently uploaded

OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 

Recently uploaded (20)

OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 

The History and Status of Web Crypto API (2012)

  • 1. The History and Status of Web Cryptography API Channy Yun Mozilla Korean Community http://www.mozilla.or.kr
  • 2. About me • Before Daum – 1997~2004 E-Commerce • Reference: SK MusicOK, iMusicLand and YBM Tutti etc. – 1999~2004 Payment Gateway • Mypay.net, an integrated payment for SOHO business – 2001~2004 Certificate Business • Thawte.co.kr, an authorized Reseller of Thawte and Verisign Japan • In Daum – 2004~ Web Standards Evangelist • Mozilla Korean Community, Leader (2002-) • W3C HTML W/G, Invited Expert(2007-) • W3C Web Crypto API Community Group, Chair (2011-) • W3C WebCryptography W/G, Invited Expert (2012-)
  • 3. Agenda • History – Legacy: crypto.signText and CAPICOM – History: XML Signature • HTML5: from document to application – Crypto in HTML W/G – Draft: Web Crypto API • Raising Web Identity – Web Identity and BrowserID • Web Cryptography API – Public key encryption, signing message and decryption. – Use cases and key isolations • Future plan
  • 5. History: XML Signature • W3C XML Signature Syntax and Processing • http://www.w3.org/TR/xmldsig-core • From 2000, based on web services bubble • Issues on XML Canonicalization and performance in SOA applications, lacks of web based use cases • Web Activated Signature Protocol • http://webpki.org • From 2006, Based on XML signature proposed by Anders Rundgren • Issues on deprecated XML signature and lacks of primitive functions such as Javascript APIs
  • 6. From Document to Application 1995 2000 2005 2010 Web Hypertext Application Technology Working Group
  • 7. Return to W3C - HTML5 Era
  • 8. Range of HTML5 HTML5 Buzz Word CSS3 Geolocation Canvas HTML5 Offline WebRTC Web Workers Device API Web Form Markup File API Video&Audio Web Sockets WebGL Server-Sent Indexed XMLHttpRequest DOM Storage Events Database API
  • 9. Crypto in W3C HTML W/G • Simple Keygen • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009- April/019206.html • http://www.w3.org/TR/html-markup/keygen.html • Integrates tightly with the form submission model • Issues on Microsoft has no intention of ever implementing the <keygen> element. (Crypto part was changed “optional”) • Simple form signing • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2006- October/007571.html • Strict form submission for crypto.signText <form action="sendMoney" stricted> <input type="text" name="dollars" value="3.00" signed="signed"> <input type="text" name="account" values="1234567890"> <input type="submit" value="Sending Money!"> </form>
  • 10. Draft: Web Crypto API • http://html5.creation.net/webcrypto-api/ • Focused on certificate services, but issues on identity
  • 11. Raising Web Identity • Identity Crisis • Dead of OpenID and widely usages of OAuth • Lock-in social web giants (Facebook, Twitter) • Needs of self-managed distributed Identity system • BrowserID and DOM Crypt (2011.5) • Mozilla’s new identity policy • http://identity.mozilla.com/post/7616727542/introducing- browserid-a-better-way-to-sign-in • http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011- May/031741.html
  • 12. c.f. Comparison of Identity
  • 13. Proposal of Web Identity W/G • http://www.w3.org/2011/08/webidentity-charter.html – Cryptography API • Commonly-used cryptographic primitives should be made available to web application developers via a standardized API to facilitate common operations such as asymmetric encryption key pair generation, encryption, and generation, as well as symmetric encryption, hashing, and signature verification. This work can be based upon DOMCrypt, which has already been discussed in the W3C WebApps WG, HTML WG, and IETF Web Security WG. – Web Identity Sync • This specification should specify how web application developers can synchronize of identity information across multiple devices like browsers. Synchronization should also work in the "Cloud" to support legacy browsers. Anonymous identities (i.e. an "empty" identity) and multiple identities should be supported. When possible, commonly used data- formats should be re-used and the design should take advantage of existing work such as Mozilla Sync. – Identity API • This specification should specify how web application developers access session-state information and authentication credentials to enable functionality such as easier sign-on to services. This API will build upon existing work such as the Verified Email and Session Description Protocols (BrowserID), BrowserAuth, and may optionally propose possible changes to HTML to the HTML WG as well as specify transfer of identity-related data. • WebCrypto API Community Group • http://www.w3.org/community/webcryptoapi • http://www.w3.org/community/webcryptoapi/2011/09/15/why-web-crypto-api/ • Helping W3C Standards for cryptography and certificate services.
  • 14. Web Cryptography W/G • http://www.w3.org/2011/11/webcryptography-charter.html • Primary API Features in scope are: – key generation, encryption, decryption, deletion, digital signature generation and verification, hash/message authentication codes, key transport/agreement, strong random number generation, key derivation functions, and key storage and control beyond the lifetime of a single session. In addition, the API should be asynchronous and must prevent or control access to secret key material and other sensitive cryptographic values and settings. Encryption and decryption include both symmetric and asymmetric cryptography. • Secondary API Features that may be in scope are: – control of TLS session login/logout, derivation of keys from TLS sessions, a simplified data protection function, multiple key containers, key import/export, a common method for accessing and defining properties of keys, and the lifecycle control of credentials such enrollment, selection, and revocation of credentials with a focus enabling the selection of certificates for signing and encryption. • Out of scope: – features including special handling directly for non-opaque key identification schemes, access-control mechanisms beyond the enforcement of the same-origin policy, and functions in the API that require smartcard or other device-specific behavior.
  • 15. Web Cryptography API http://www.w3.org/2012/webcrypto/WebCryptoAPI/
  • 16. • Basic – Hash – Mac – Random Number • window.crypto.getRandomValues • https://dvcs.w3.org/hg/domcrypt/raw-file/tip/Overview.html
  • 17. • Public Key Encryption • Encrypt and sign message
  • 18. • Decrypt a received blob • Sign and verify
  • 19. • Major Functions – Signature, MAC, Public Key Encryption, Symmetric Encryption and Hash • Requirements – a standard, cross-browser API – the speed of native crypto implementation – the security of isolating the keys from JavaScript code – persistent key storage and access to system cert/key • Use Cases – http://www.w3.org/wiki/NetflixWebCryptoUseCase – http://www.w3.org/wiki/KoreaWebCryptoUseCase
  • 20. Collecting use cases • Primary features • Secure messaging • Encrypted web applications • Storing local storage • Encrypted bill • Client authentications • Secondary features • Financial Transaction: Online bank • Credit card process • SSL VPN • Handling S/MIME mail • Handling XML Encryption • http://www.w3.org/community/webcryptoapi/wiki/Use_Cases
  • 21. Key isolations proposed by Ryan Sleevi • Origin-bound: – generated via .generateKey() bound to a single origin with short-lived (session cookie style?) • Use case: DHE/ECDHE/PAKE key agreement for opportunistic encryption of chat over Websockets, where the intermediary is not trusted. • Use case: Perhaps some binding of a user login/cookie data to some encrypted context. The key is only as useful as long as the cookie lives, and vice-versa. • Persistent: – effectively super-cookie that might apply to cookies/cache/other data. • Use case: "identity key" with a service might be used for mail signing, HTML5 file storage, online chat, etc. single origin or shared with multiple origins – Keys may be stored in software (managed by the UA), in the OS or some global key store (making them available to other applications beyond the UA), in "the cloud" as part of some sync service, or even stored on another device such as TPM or smart card. • Use Case: For embedders (such as Netflix), for purchase USB TPMs • High Value: – a strong correlation to certain high value transactions - particularly where force of law is involved. Unlike the above 'persistent' keys, HVKs are strongly correlated to identity, and may reflect government or financial services issuance. • Use Case: Signing a legal document - tax forms, contract, performing 'sensitive' transactions (bank transaction confirmation, etc)
  • 22. Future Plan • Secondary API spec – aka. Web Certificate Service API – TLS login/out, key management including import/export and signing/verification – Discussions for smartcard and USB token • Get started – Join W3C WebCryptography W/G • http://lists.w3.org/Archives/Public/public-webcrypto/ – Join W3C WebCrypto API Community Group • http://www.w3.org/community/webcryptoapi/
  • 23. References in Korean 1. 액티브X 없이 공인인증서 쓴다 http://www.zdnet.co.kr/news/news_view.asp?artice_id=2 0120323121226 2. 공인인증서 액티브X와 결별하려면 http://www.zdnet.co.kr/news/news_view.asp?artice_id=2 0120329124248 3. 전자서명 웹 표준화 안되나? http://channy.creation.net/blog/884 4. ActiveX 걷어낼 웹표준 만든다 http://blog.creation.net/519 5. WebCrypto API의 현재와 미래 http://channy.creation.net/blog/884
  • 24. Thanks for listening: Q&A Channy Yun Twitter: @channyun E-mail: channy@mozilla.or.kr Blog: http://channy.creation.net