[whatwg] window.cipher HTML crypto API draft spec

=JeffH Jeff.Hodges at KingsMountain.com
Mon May 23 20:14:36 PDT 2011 

David Dahl replied..
 >
 > "Simon Heckmann" <simon at simonheckmann.de> asked..
 >
 >> Why does it only handle asymmetric encryption? Something to
 >> encrypt/decrypt data with e.g. AES would be nice as well!
 >
 > I do need to add a symmetric encryption API as well, my current focus has
 > been on the exchange of message between web users, but that is only one
 > facet of the results of this effort. I should look at the big picture a bit
 > and think about what that API should look like.

Various folks have been thinking about the need to leverage platform crypto
functions (rather than implementing crypto in "JS libraries") via a 
standardized API for browser-side web app code such that a
swath of use cases is addressed, here's a couple examples of such position 
statements..

   The Need for a Web Security API
   http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_28.pdf

   Wanted: Native JS Encryption
   http://robert.accettura.com/blog/2011/03/03/wanted-native-js-encryption/
   https://mail.mozilla.org/pipermail/es-discuss/2011-March/013144.html

Some have noted that there ought to be a very high level API built on top of
such a substrate that web app developers could use for their more common use
cases. Keyczar is one example of such an API <http://www.keyczar.org/>, and 
cryptlib is another 
<http://www.cryptlib.com/security-software/programming-code-examples>.


Adam Barth replied..
 >
 > David Dahl said..
 >
 >> Yes, that is the case, I am using NSS. I imagine other browser vendors
 >> would also use NSS to implement this.
 >
 > It's very unlikely that Microsoft will use NSS to implement this API in IE.

Agreed.  We nominally need an API that can be implemented by interfacing with 
NSS and CAPI (Microsoft Cryptography API) (arguably as well as OpenSSL, GPG, 
OpenPGP, etc).

fyi/fwiw, another thread from earlier this year cross-posted between this list 
and <es-discuss at mozilla.org> noted that there is some discussion amongst the 
EcmaScript spec folk about defining an "a real crypto API"..

   [whatwg] Cryptographically strong random numbers  (Mark Miller)
   <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-February/030452.html>


=JeffH

More information about the whatwg mailing list