Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC adding third party Ed25519, HPKE, and CBOR libs #208

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

RFC adding third party Ed25519, HPKE, and CBOR libs #208

Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
edb3a4a
Create additional_cypto_cbor_libs.md
JensenPaul Aug 21, 2024
31edd1d
clarify note on transpiling
JensenPaul Aug 22, 2024
e78ffac
add usage details
JensenPaul Aug 22, 2024
cb6ff54
add example APIs
JensenPaul Aug 23, 2024
d236bb8
Update additional_cypto_cbor_libs.md
JensenPaul Aug 27, 2024
606ed05
Update additional_cypto_cbor_libs.md
JensenPaul Aug 28, 2024
4c0957d
use markdown link instead of footnotes
JensenPaul Aug 29, 2024
c3d0435
We also need Python HPKE & CBOR libraries
JensenPaul Oct 30, 2024
da4e514
Switch from CC0 licensed Ed25519 library to MIT licensed one.
JensenPaul Jan 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions rfcs/additional_cypto_cbor_libs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# RFC 208: additional crypto and CBOR libraries

## Summary

Several new web APIs require additional cryptography and CBOR libraries to
properly test, for example the Protected Audience Additional Bids feature [0]
uses Ed25519 signatures, the Protected Audience Key-Value services [1] and
Bidding and Auction services [2] use CBOR data encoding and HPKE encryption.
These additional libraries are to support cryptography and the CBOR
protocols not otherwise supported in JavaScript or Python, namely Ed25519,
HPKE, and CBOR. There are open source libraries commonly available that
implement these protocols and have compatible licenses. This RFC proposes
adding such libraries to the tools/ directory (for the Python library) and
to a <spec>/third_party/ directory [3] (for the JavaScript libraries) so
that web-platform-tests may exercise and verify proper compatible
implementations of these new web APIs.

## Details

We're proposing adding this library to the tools/ directory:

An Ed25519 Python implementation:
https://github.com/pyca/ed25519/blob/main/ed25519.py
JensenPaul marked this conversation as resolved.
Show resolved Hide resolved

The Ed25519 library is intended to be used by test code running on wptserve that may receive an Ed25519 private key and message to sign that message, or a public key and signature to verify that signature. This library is CC0 licensed.

We're proposing adding these libraries to a third_party/ subdirectory under our spec directory as per this advice [3]:

An HPKE JavaScript implementation:
https://github.com/dajiaji/hpke-js
JensenPaul marked this conversation as resolved.
Show resolved Hide resolved

This library has some dependencies, so we're proposing building/transpiling into a single hpke.js file.

A CBOR JavaScript implementation:
https://github.com/paroga/cbor-js/blob/master/cbor.js
JensenPaul marked this conversation as resolved.
Show resolved Hide resolved

The HPKE and CBOR libraries are used by test code to decrypt and decode data coming from JavaScript APIs to verify their contents, and used by test code to encode and encrypt response data. These libraries and all of their included dependencies are MIT licensed.

## Risks

Users of these libraries may need to update them from time to time if new
functionality or fixes are required. This is likely not a big risk.

The HPKE library, once built/transpiled into one JavaScript file, may be slightly harder to debug, but we'll disable minification when building.

[0] https://github.com/WICG/turtledove/blob/main/FLEDGE.md#623-additional-bid-keys
[1] https://github.com/WICG/turtledove/blob/main/FLEDGE_Key_Value_Server_API.md#query-api-version-2
[2] https://github.com/WICG/turtledove/blob/main/FLEDGE_browser_bidding_and_auction_API.md
[3] https://github.com/web-platform-tests/rfcs/issues/46#issuecomment-587707539
JensenPaul marked this conversation as resolved.
Show resolved Hide resolved