[whatwg] DOMCrypt update: July 14 Meeting Report

David Dahl ddahl at mozilla.com
Wed Jul 27 07:16:17 PDT 2011


----- Original Message -----
> From: "Simon Heckmann" <simon at simonheckmann.de>
> To: "Adam Barth" <w3c at adambarth.com>
> Cc: "Silvia Pfeiffer" <silviapfeiffer1 at gmail.com>, "WHATWG Proposals" <whatwg at lists.whatwg.org>, "David Dahl"
> <ddahl at mozilla.com>
> Sent: Wednesday, July 27, 2011 4:13:38 AM
> Subject: Re: [whatwg] DOMCrypt update: July 14 Meeting Report
> I totally agree with you. My code was just an example. I also think it
> should be idiot proof.
> 
> However, I think the whole API should be loosly coupled. Requiring the
> client to initialize a cryptographic function on the server seems to
> tightly linked. 
This is how we can limit the scope and reduce the attacks that are possible cross-domain. The keypair is usable only with the origin that created it.  

> I think it should be possible to decrypt any chunk of
> data with the DOMCrypt API as long as I know the algorithm and the
> key. But maybe this is out of scope and I am thinking in too universal
> concepts?
> 
Perhaps, however, your use cases are not out of the question. We just want to start with a smaller surface, making this API simpler to implement and use.

Regards,

David



More information about the whatwg mailing list