Re: Smart Card support. Re: Request for feedback: DOMCrypt API proposal

----- Original Message -----
> From: "Nico Williams" <nico@cryptonector.com>
> To: "David Dahl" <ddahl@mozilla.com>
> Cc: public-web-security@w3.org, "Jarred Nicholls" <jarred@sencha.com>
> Sent: Thursday, June 9, 2011 4:23:52 PM
> Subject: Re: Smart Card support. Re: Request for feedback: DOMCrypt API proposal

> You've sold me on one clever use for JS crypto APIs. Given that I can
> ignore my concern regarding false sense of security in other uses.
> I'm still concerned that developers will not use crypto correctly
> (consider the CBC padding oracle vulnerabilities we've seen in the
> past), so I'd rather we offer AEAD APIs than, or at least in addition
> to, say, raw AES APIs.

Yep, the gun is loaded. My hope is that a community of smart crypto nerds will guide web developers in the use of this API.

Also, that is why there is an algorithm property for each API, as we will need to evolve the level of security as the times change. I would also really like to use EC, but that seems untenable with the kind of patent issues that may be lurking.

Regards,

David

Received on Thursday, 9 June 2011 21:50:41 UTC