-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC adding third party Ed25519, HPKE, and CBOR libs #208
Open
JensenPaul
wants to merge
8
commits into
web-platform-tests:master
Choose a base branch
from
JensenPaul:patch-1
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 6 commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
edb3a4a
Create additional_cypto_cbor_libs.md
JensenPaul 31edd1d
clarify note on transpiling
JensenPaul e78ffac
add usage details
JensenPaul cb6ff54
add example APIs
JensenPaul d236bb8
Update additional_cypto_cbor_libs.md
JensenPaul 606ed05
Update additional_cypto_cbor_libs.md
JensenPaul 4c0957d
use markdown link instead of footnotes
JensenPaul c3d0435
We also need Python HPKE & CBOR libraries
JensenPaul File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # RFC 208: additional crypto and CBOR libraries | ||
|
|
||
| ## Summary | ||
|
|
||
| Several new web APIs require additional cryptography and CBOR libraries to | ||
| properly test, for example the Protected Audience Additional Bids feature [0] | ||
| uses Ed25519 signatures, the Protected Audience Key-Value services [1] and | ||
| Bidding and Auction services [2] use CBOR data encoding and HPKE encryption. | ||
| These additional libraries are to support cryptography and the CBOR | ||
| protocols not otherwise supported in JavaScript or Python, namely Ed25519, | ||
| HPKE, and CBOR. There are open source libraries commonly available that | ||
| implement these protocols and have compatible licenses. This RFC proposes | ||
| adding such libraries to the tools/ directory (for the Python library) and | ||
| to a <spec>/third_party/ directory [3] (for the JavaScript libraries) so | ||
| that web-platform-tests may exercise and verify proper compatible | ||
| implementations of these new web APIs. | ||
|
|
||
| ## Details | ||
|
|
||
| We're proposing adding this library to the tools/ directory: | ||
|
|
||
| An Ed25519 Python implementation: | ||
| https://github.com/pyca/ed25519/blob/main/ed25519.py | ||
|
|
||
| The Ed25519 library is intended to be used by test code running on wptserve that may receive an Ed25519 private key and message to sign that message, or a public key and signature to verify that signature. This library is CC0 licensed. | ||
|
|
||
| We're proposing adding these libraries to a third_party/ subdirectory under our spec directory as per this advice [3]: | ||
|
|
||
| An HPKE JavaScript implementation: | ||
| https://github.com/dajiaji/hpke-js | ||
JensenPaul marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| This library has some dependencies, so we're proposing building/transpiling into a single hpke.js file. | ||
|
|
||
| A CBOR JavaScript implementation: | ||
| https://github.com/paroga/cbor-js/blob/master/cbor.js | ||
JensenPaul marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| The HPKE and CBOR libraries are used by test code to decrypt and decode data coming from JavaScript APIs to verify their contents, and used by test code to encode and encrypt response data. These libraries and all of their included dependencies are MIT licensed. | ||
|
|
||
| ## Risks | ||
|
|
||
| Users of these libraries may need to update them from time to time if new | ||
| functionality or fixes are required. This is likely not a big risk. | ||
|
|
||
| The HPKE library, once built/transpiled into one JavaScript file, may be slightly harder to debug, but we'll disable minification when building. | ||
|
|
||
| [0] https://github.com/WICG/turtledove/blob/main/FLEDGE.md#623-additional-bid-keys | ||
| [1] https://github.com/WICG/turtledove/blob/main/FLEDGE_Key_Value_Server_API.md#query-api-version-2 | ||
| [2] https://github.com/WICG/turtledove/blob/main/FLEDGE_browser_bidding_and_auction_API.md | ||
| [3] https://github.com/web-platform-tests/rfcs/issues/46#issuecomment-587707539 | ||
JensenPaul marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This appears to be CC0, which I know different companies have differing policies around, both in terms of usage and any potential contributions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CC0 is broadly considered to be the legal equivalent to the colloquial definition of "public domain", so I don't expect that to be an issue, although perhaps @alex could weigh in.
Creative Commons (non-zero) is generally what triggers more paranoia across different companies. However, I am not sure what the policy is for Web Platform Tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have absolutely no context here, but:
That repo is a pure-Python, but somewhat optimized, implementation of ed25519. It was implemented by taking djb's original ed25519 Python code and optimizing it. djb's original implementation is listed as being licensed "in the public domain": https://ed25519.cr.yp.to/software.html. However, "public domain" is not a concept that exists in all jurisdictions, thus we licensed our modifications under the most permissive license that should work everywhere. For all practical purposes, I do believe anyone should be encumbered by this license.
All of that said, for 99.999% of use cases, you should get your ed25519 from pyca/cryptography, which is dual BSD-3-Clause/Apache-2 licensed. It will be much faster, etc. The only reason to use ed25519.py is if you have a use-case that absolutely requires it be pure python. Bootstrapping the python packaging ecosystem is the only real use case I'm aware of.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the use case here, wptserve, is in fact pure-Python, so ed25519.py is in fact a reasonable match for our needs.
CC0 licensing also sounds very permissive, and it looks like web-platform-tests already contains some CC0 licensed code: https://github.com/web-platform-tests/wpt/blob/master/images/wpt-pr-bot-logo/wpt-pr-bot-logo-darkblue.svg?short_path=d6712fa#L4
I think we've resolved all concerns here and so I'm going to resolve this thread. Feel free to unresolve this comment if this does pose a problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fact that wptserve is pure python doesn't really mean it needs to have only pure python dependencies. As the maintainer of ed25519.py, I think it'd be a mistake to use it unless you have immovable constraints like
pipdoes.But at any rate, you've got the licensing history, do as you please.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've certainly tried to avoid compiled dependencies — especially those that have more requirements to build above and beyond what CPython requires to build.
It's certainly the case that we care about being able to run WPT tests (and thus the server) on relatively unusual architectures/OSes (an obvious example is that some of the WebKit ports are still maintaining Linux/arm32 support, for which no cryptography wheels are available — and there's been reluctance to add all the dependencies to build cryptography into the image used — but also there are more extreme cases such as macOS on Apple Silicon prior to its public announcement); any time where we add a compiled dependency it potentially adds a whole load of "you need to install X, Y, and Z before you can install the Python dependencies".
Thus, in general, unless there's a very compelling reason, we've had a strong bias for pure-Python dependencies.