Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider removing support for P-521 #277

Closed
sleevi opened this issue Apr 6, 2021 · 1 comment
Closed

Consider removing support for P-521 #277

sleevi opened this issue Apr 6, 2021 · 1 comment
Labels
F2F security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.

Comments

@sleevi
Copy link

sleevi commented Apr 6, 2021

A number of user agents intentionally decline to implement P-521, due to the significant performance overheads incurred relative to the limited security benefit provided in practice. For example, both Chrome and Firefox prohibit such certificates within TLS connections.

The current language includes P-521 as optional, as captured at

openscreenprotocol/index.bs

Lines 363 to 371 in 5488c7b

The [=agent certificate=] must have the following characteristics:
* 256-bit, 384-bit, or 521-bit ECDSA public key
* Self-signed
* Supporting the at least one of the following signature algorithms:
* secp256r1_sha256
* secp384r1_sha384
* secp521r1_sha512
* Valid for signing

This will likely exacerbate interoperability issues, and also arguably incompatible with the goal stated in Non-Functional Requirements, namely

openscreenprotocol/index.bs

Lines 206 to 210 in 5488c7b

1. It should be possible to implement an OSP agent using modest
hardware requirements, similar to what is found in a low end smartphone,
smart TV or streaming device. See the [Device
Specifications](https://w3c.github.io/openscreenprotocol/device_specs.html)
document for agent hardware specifications.

Suggestion: Remove P-521.
@sleevi sleevi mentioned this issue Apr 6, 2021
Closed
@samuelweiler samuelweiler added the security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. label May 27, 2021
@w3cbot w3cbot mentioned this issue May 27, 2021
Open
@chrisn chrisn mentioned this issue Sep 8, 2022
Merged
@markafoltz markafoltz mentioned this issue Sep 8, 2022
Merged
@markafoltz markafoltz added the F2F label Sep 8, 2022
@markafoltz markafoltz mentioned this issue Sep 13, 2022
Open
@markafoltz
Copy link
Contributor

Closed by #295.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
F2F security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sleevi @markafoltz @samuelweiler