[whatwg] window.cipher HTML crypto API draft spec
David Dahl
ddahl at mozilla.com
Mon May 23 21:33:06 PDT 2011
The implementation is secondary in this effort. I think I have nailed down an elegant API that web developers can understand and easily use without shooting themselves and others in the foot.
Regards,
David
----- Original Message -----
From: "=JeffH" <Jeff.Hodges at KingsMountain.com>
To: whatwg at lists.whatwg.org
Sent: Monday, May 23, 2011 10:14:36 PM
Subject: Re: [whatwg] window.cipher HTML crypto API draft spec
David Dahl replied..
>
> "Simon Heckmann" <simon at simonheckmann.de> asked..
>
>> Why does it only handle asymmetric encryption? Something to
>> encrypt/decrypt data with e.g. AES would be nice as well!
>
> I do need to add a symmetric encryption API as well, my current focus has
> been on the exchange of message between web users, but that is only one
> facet of the results of this effort. I should look at the big picture a bit
> and think about what that API should look like.
Various folks have been thinking about the need to leverage platform crypto
functions (rather than implementing crypto in "JS libraries") via a
standardized API for browser-side web app code such that a
swath of use cases is addressed, here's a couple examples of such position
statements..
The Need for a Web Security API
http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_28.pdf
Wanted: Native JS Encryption
http://robert.accettura.com/blog/2011/03/03/wanted-native-js-encryption/
https://mail.mozilla.org/pipermail/es-discuss/2011-March/013144.html
Some have noted that there ought to be a very high level API built on top of
such a substrate that web app developers could use for their more common use
cases. Keyczar is one example of such an API <http://www.keyczar.org/>, and
cryptlib is another
<http://www.cryptlib.com/security-software/programming-code-examples>.
Adam Barth replied..
>
> David Dahl said..
>
>> Yes, that is the case, I am using NSS. I imagine other browser vendors
>> would also use NSS to implement this.
>
> It's very unlikely that Microsoft will use NSS to implement this API in IE.
Agreed. We nominally need an API that can be implemented by interfacing with
NSS and CAPI (Microsoft Cryptography API) (arguably as well as OpenSSL, GPG,
OpenPGP, etc).
fyi/fwiw, another thread from earlier this year cross-posted between this list
and <es-discuss at mozilla.org> noted that there is some discussion amongst the
EcmaScript spec folk about defining an "a real crypto API"..
[whatwg] Cryptographically strong random numbers (Mark Miller)
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-February/030452.html>
=JeffH
More information about the whatwg
mailing list