[whatwg] window.cipher HTML crypto API draft spec
ddahl at mozilla.com
Fri May 20 14:16:30 PDT 2011
----- Original Message -----
From: "=JeffH" <Jeff.Hodges at KingsMountain.com>
To: whatwg at lists.whatwg.org
>> I have created a Firefox extension that implements all of the above, and am
>> working on an experimental patch that integrates this API into Firefox.
> A subtle-but-important aspect to note about the above is that you impl'd it via
interfacing to the in-browser NSS API rather than (re)coding it in JS.
Yes, that is the case, I am using NSS. I imagine other browser vendors would also use NSS to implement this.
>> The draft spec is here:
> It's an interesting start, but the methods of the window.cipher property appear
to be tailored pretty specifically for your "addressbook" use case..
> ..which itself describes an implicit key exchange mechanism.
Indeed it does. the first use case I have in mind is pseudo-anonymous communication via social networking. Hence the namespacing in the API. Other use cases I have not tackled yet are symmetric encryption via a variety of algos, etc...
> While that's sorta interesting, there's various use cases that've been
mentioned in various places that the above proposed API doesn't necessarily
> Web Sigining in Action
> Re: Web Sigining in Action
> JS crypto? (and ensuing thread)
> Re: Hash functions (and ensuing thread)
I will have to read these threads and get back to you. I am familiar with some of them.
> Additionally, key exchange often becomes a tar pit. It'd be great if there were
functionality in such a JS-accessible API so that one could leverage keying
material from underlying, e.g. TLS, key exchanges (see RFC 5705, and "keying
material exporter" column in
SSL_PeerCertificate() with which one can get the peer's cert and thus public
key), rather than invent new ones.
I am definitely not trying to tackle the great "key exchange" solution. I was thinking about how, on the most basic level you could simply publish your "addressbook entry" for others to collect. A meta tag came to mind as something quite simple - the browser just needs a way to prompt the user and save the data as JSON.
Thank you for the feedback, you have provided me with a lot of weekend reading.
More information about the whatwg