W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: Smart Card support. Re: Request for feedback: DOMCrypt API proposal

From: Brian Smith <bsmith@mozilla.com>
Date: Fri, 10 Jun 2011 13:04:46 -0700 (PDT)
To: Nico Williams <nico@cryptonector.com>
Cc: Anders Rundgren <anders.rundgren@telia.com>, public-web-security@w3.org, Jarred Nicholls <jarred@sencha.com>, David Dahl <ddahl@mozilla.com>
Message-ID: <780863684.172970.1307736286539.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
Nico Williams wrote:
> Which reminds me of OTR. But note that in the case of profile data
> including credit card numbers the service has a very strong incentive
> to store the data encrypted and do the crypto on the client-side:
> civil liability, which is what overcomes my script trust issues. The
> same doesn't apply to private messaging, yet.

AFAICT, for this use case, we just need a simple API that says "store this data encrypted with assurance level <X> of confidentiality, requiring assurance level <Y> of authentication to unlock, and restricted to content from origin <Z>" similar to what Microsoft Exchange does for mobile devices. 

Even if you had an explicit crypto API, you would need the above API anyway, for protecting the keys, right?

Received on Tuesday, 14 June 2011 00:37:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC