Friendly ping. On Wed, Feb 2, 2022 at 11:53 AM Chris Harrelson <chris...@chromium.org> wrote:
> LGTM2 > > My understanding is that there is a security/privacy review ongoing to > double-check this feature, so if there is an LGTM3 please make sure that > review has concluded as well. > > On Wed, Feb 2, 2022 at 3:28 AM Yoav Weiss <yoavwe...@chromium.org> wrote: > >> LGTM1 >> >> On Thursday, January 20, 2022 at 7:08:59 AM UTC+1 Victor Vasiliev wrote: >> >>> Contact emails >>> >>> yhir...@chromium.org, vasi...@chromium.org >>> >>> Explainer >>> >>> https://github.com/w3c/webtransport/blob/main/explainer.md >>> >>> Spec >>> >>> >>> https://w3c.github.io/webtransport/#dom-webtransportoptions-servercertificatehashes >>> >>> WebTransport has been already covered by a series of TAG reviews (389 >>> <https://github.com/w3ctag/design-reviews/issues/389>, 669 >>> <https://github.com/w3ctag/design-reviews/issues/669>). >>> >>> Summary >>> >>> In WebTransport, the serverCertificateHashes option allows the website >>> to connect to a WebTransport server by authenticating the certificate >>> against the expected certificate hash instead of using the Web PKI. This >>> feature allows Web developers to connect to WebTransport servers that would >>> normally find obtaining a publicly trusted certificate challenging, such as >>> hosts that are not publically routable, or virtual machines that are >>> ephemeral in nature. >>> >>> During the WebTransport Intent to Ship email thread >>> <https://groups.google.com/a/chromium.org/g/blink-dev/c/kwC5wES3I4c>, >>> concerns were raised regarding the security considerations of this portion >>> of the spec being incomplete. We believe that we have addressed those >>> concerns (notably, in this PR >>> <https://github.com/w3c/webtransport/pull/375>). >>> >> >> Please followup on the PR to ensure it lands. Thanks! :) >> >> >>> In terms of the actual code behavior, the only major difference since >>> the previous thread is that we no longer allow RSA keys for the >>> certificates. >>> >>> Link to “Intent to Prototype” blink-dev discussion >>> >>> >>> https://groups.google.com/a/chromium.org/g/blink-dev/c/I6MS2kOKcx0/m/NAdg7Sc-CwAJ >>> >>> Is this feature supported on all six Blink platforms (Windows, Mac, >>> Linux, Chrome OS, Android, and Android WebView)? >>> >>> Yes. >>> >>> Debuggability >>> >>> The certificate-related errors for WebTransport sessions are logged into >>> the developer console. >>> >>> Measurement >>> >>> The use of this feature is tracked by the >>> WebTransportServerCertificateHashes use counter. >>> >>> Risks >>> >>> Interoperability and Compatibility >>> >>> There is some discussion about adding a mechanism to prevent websites >>> from using this feature via an HTTP header (either CSP or a new header). >>> Some of the proposals could potentially break existing usage under certain >>> conditions (e.g. if a webpage both uses serverCertificateHashes and has a >>> connect-src directive, and we decide to extend connect-src); I expect for >>> those cases to be sufficiently niche to ultimately not be a problem, and >>> the question itself is of fairly low priority as there does not seem to be >>> a strong security reason for a website to restrict serverCertificateHashes. >>> >> >> Are you planning to file a separate intent once those plans materialize? >> >> >>> >>> Gecko: worth prototyping >>> <https://github.com/mozilla/standards-positions/issues/167#issuecomment-1015951396> >>> >>> WebKit: no signal >>> <https://lists.webkit.org/pipermail/webkit-dev/2021-September/031980.html> >>> >>> Web / Framework developers: positive (we have received indication in the >>> past that serverCertificateHashes is a blocker for migrating from WebRTC at >>> least one of them) >>> >>> Ergonomics >>> >>> The API is roughly modeled after a similar WebRTC API >>> (RtcDtlsFingerprint), with a noted improvement that the certificate hash no >>> longer requires to be serialized into a specific format. >>> >>> Activation >>> >>> Using this feature would require web developers to design their >>> application in a way that supports generating and distributing ephemeral >>> certificates on demand. >>> >>> Security >>> >>> Security considerations for this feature are discussed at length in PR >>> #375 >>> <https://pr-preview.s3.amazonaws.com/vasilvv/web-transport/pull/375.html#certificate-hashes> >>> . >>> >>> Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md>? >>> Link to test suite results from wpt.fyi. >>> >>> WebTransport itself is tested by web-platform-tests; this specific >>> feature requires infra support that is currently not available (issue >>> <https://github.com/web-platform-tests/wpt/issues/32463>). >>> >>> Entry on the feature dashboard <http://www.chromestatus.com/> >>> >>> https://chromestatus.com/feature/5690646332440576 >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2a591c7e-ef31-4015-8b34-256e12bcfce3n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2a591c7e-ef31-4015-8b34-256e12bcfce3n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAZdMaetk7JoQ-gOmhcPKgRh2uo%2BnKNeG%3DYOF%3Dnrat0YVPUgBQ%40mail.gmail.com.
