LGTM2 My understanding is that there is a security/privacy review ongoing to double-check this feature, so if there is an LGTM3 please make sure that review has concluded as well.
On Wed, Feb 2, 2022 at 3:28 AM Yoav Weiss <yoavwe...@chromium.org> wrote: > LGTM1 > > On Thursday, January 20, 2022 at 7:08:59 AM UTC+1 Victor Vasiliev wrote: > >> Contact emails >> >> yhir...@chromium.org, vasi...@chromium.org >> >> Explainer >> >> https://github.com/w3c/webtransport/blob/main/explainer.md >> >> Spec >> >> >> https://w3c.github.io/webtransport/#dom-webtransportoptions-servercertificatehashes >> >> WebTransport has been already covered by a series of TAG reviews (389 >> <https://github.com/w3ctag/design-reviews/issues/389>, 669 >> <https://github.com/w3ctag/design-reviews/issues/669>). >> >> Summary >> >> In WebTransport, the serverCertificateHashes option allows the website to >> connect to a WebTransport server by authenticating the certificate against >> the expected certificate hash instead of using the Web PKI. This feature >> allows Web developers to connect to WebTransport servers that would >> normally find obtaining a publicly trusted certificate challenging, such as >> hosts that are not publically routable, or virtual machines that are >> ephemeral in nature. >> >> During the WebTransport Intent to Ship email thread >> <https://groups.google.com/a/chromium.org/g/blink-dev/c/kwC5wES3I4c>, >> concerns were raised regarding the security considerations of this portion >> of the spec being incomplete. We believe that we have addressed those >> concerns (notably, in this PR >> <https://github.com/w3c/webtransport/pull/375>). >> > > Please followup on the PR to ensure it lands. Thanks! :) > > >> In terms of the actual code behavior, the only major difference since >> the previous thread is that we no longer allow RSA keys for the >> certificates. >> >> Link to “Intent to Prototype” blink-dev discussion >> >> >> https://groups.google.com/a/chromium.org/g/blink-dev/c/I6MS2kOKcx0/m/NAdg7Sc-CwAJ >> >> Is this feature supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)? >> >> Yes. >> >> Debuggability >> >> The certificate-related errors for WebTransport sessions are logged into >> the developer console. >> >> Measurement >> >> The use of this feature is tracked by the >> WebTransportServerCertificateHashes use counter. >> >> Risks >> >> Interoperability and Compatibility >> >> There is some discussion about adding a mechanism to prevent websites >> from using this feature via an HTTP header (either CSP or a new header). >> Some of the proposals could potentially break existing usage under certain >> conditions (e.g. if a webpage both uses serverCertificateHashes and has a >> connect-src directive, and we decide to extend connect-src); I expect for >> those cases to be sufficiently niche to ultimately not be a problem, and >> the question itself is of fairly low priority as there does not seem to be >> a strong security reason for a website to restrict serverCertificateHashes. >> > > Are you planning to file a separate intent once those plans materialize? > > >> >> Gecko: worth prototyping >> <https://github.com/mozilla/standards-positions/issues/167#issuecomment-1015951396> >> >> WebKit: no signal >> <https://lists.webkit.org/pipermail/webkit-dev/2021-September/031980.html> >> >> Web / Framework developers: positive (we have received indication in the >> past that serverCertificateHashes is a blocker for migrating from WebRTC at >> least one of them) >> >> Ergonomics >> >> The API is roughly modeled after a similar WebRTC API >> (RtcDtlsFingerprint), with a noted improvement that the certificate hash no >> longer requires to be serialized into a specific format. >> >> Activation >> >> Using this feature would require web developers to design their >> application in a way that supports generating and distributing ephemeral >> certificates on demand. >> >> Security >> >> Security considerations for this feature are discussed at length in PR >> #375 >> <https://pr-preview.s3.amazonaws.com/vasilvv/web-transport/pull/375.html#certificate-hashes> >> . >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>? >> Link to test suite results from wpt.fyi. >> >> WebTransport itself is tested by web-platform-tests; this specific >> feature requires infra support that is currently not available (issue >> <https://github.com/web-platform-tests/wpt/issues/32463>). >> >> Entry on the feature dashboard <http://www.chromestatus.com/> >> >> https://chromestatus.com/feature/5690646332440576 >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2a591c7e-ef31-4015-8b34-256e12bcfce3n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2a591c7e-ef31-4015-8b34-256e12bcfce3n%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw_5-tRa%3Dk2v_YNA8Og0eh9XGDA_4XwCmBeS2jXphFaADQ%40mail.gmail.com.