[whatwg] window.cipher HTML crypto API draft spec
David Dahl
ddahl at mozilla.com
Fri May 20 14:16:30 PDT 2011
----- Original Message -----
From: "=JeffH" <Jeff.Hodges at KingsMountain.com>
To: whatwg at lists.whatwg.org
>> I have created a Firefox extension that implements all of the above, and am
>> working on an experimental patch that integrates this API into Firefox.
> A subtle-but-important aspect to note about the above is that you impl'd it via
interfacing to the in-browser NSS API rather than (re)coding it in JS.
Yes, that is the case, I am using NSS. I imagine other browser vendors would also use NSS to implement this.
>> The draft spec is here:
>> https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest
> It's an interesting start, but the methods of the window.cipher property appear
to be tailored pretty specifically for your "addressbook" use case..
>> https://wiki.mozilla.org/Privacy/Features/mozCipherAddressbook
> ..which itself describes an implicit key exchange mechanism.
Indeed it does. the first use case I have in mind is pseudo-anonymous communication via social networking. Hence the namespacing in the API. Other use cases I have not tackled yet are symmetric encryption via a variety of algos, etc...
> While that's sorta interesting, there's various use cases that've been
mentioned in various places that the above proposed API doesn't necessarily
address..
> Web Sigining in Action
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0898.html
> Re: Web Sigining in Action
http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0953.html
> JS crypto? (and ensuing thread)
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0605.html
> Re: Hash functions (and ensuing thread)
http://lists.w3.org/Archives/Public/public-webapps/2010OctDec/1041.html
I will have to read these threads and get back to you. I am familiar with some of them.
> Additionally, key exchange often becomes a tar pit. It'd be great if there were
functionality in such a JS-accessible API so that one could leverage keying
material from underlying, e.g. TLS, key exchanges (see RFC 5705, and "keying
material exporter" column in
<https://secure.wikimedia.org/wikipedia/en/wiki/Comparison_of_TLS_Implementations#Extensions>;
also NSS'
SSL_PeerCertificate() with which one can get the peer's cert and thus public
key), rather than invent new ones.
I am definitely not trying to tackle the great "key exchange" solution. I was thinking about how, on the most basic level you could simply publish your "addressbook entry" for others to collect. A meta tag came to mind as something quite simple - the browser just needs a way to prompt the user and save the data as JSON.
Thank you for the feedback, you have provided me with a lot of weekend reading.
Regards,
David
More information about the whatwg
mailing list