W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Smart Card support. Re: Request for feedback: DOMCrypt API proposal

From: David Dahl <ddahl@mozilla.com>
Date: Thu, 9 Jun 2011 14:50:04 -0700 (PDT)
To: Nico Williams <nico@cryptonector.com>
Cc: public-web-security@w3.org, Jarred Nicholls <jarred@sencha.com>
Message-ID: <539599167.163856.1307656204108.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>


----- Original Message -----
> From: "Nico Williams" <nico@cryptonector.com>
> To: "David Dahl" <ddahl@mozilla.com>
> Cc: public-web-security@w3.org, "Jarred Nicholls" <jarred@sencha.com>
> Sent: Thursday, June 9, 2011 4:23:52 PM
> Subject: Re: Smart Card support. Re: Request for feedback: DOMCrypt API proposal

> You've sold me on one clever use for JS crypto APIs. Given that I can
> ignore my concern regarding false sense of security in other uses.
> I'm still concerned that developers will not use crypto correctly
> (consider the CBC padding oracle vulnerabilities we've seen in the
> past), so I'd rather we offer AEAD APIs than, or at least in addition
> to, say, raw AES APIs.

Yep, the gun is loaded. My hope is that a community of smart crypto nerds will guide web developers in the use of this API.

Also, that is why there is an algorithm property for each API, as we will need to evolve the level of security as the times change. I would also really like to use EC, but that seems untenable with the kind of patent issues that may be lurking.

Regards,

David
Received on Thursday, 9 June 2011 21:50:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC