W3C home > Mailing lists > Public > public-web-security@w3.org > October 2015

Re: State of the WebCrypto API

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Tue, 13 Oct 2015 07:10:22 +0200
To: Tony Arcieri <bascule@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <561C923E.9060608@gmail.com>
Tony,
There are no technical disagreements whatsoever (I once even created a "shim" to cope with IE), but I did indeed take the liberty downplaying the importance of WebCrypto which you characterize as FUD.

However, this view of mine is not only an opinion, it is based on hands-on experience with crypto-using applications on the Web. There's nothing wrong with the API itself, it is rather the ability to write useful applications that I don't find entirely satisfactory due to the unavailability of complementary technologies like "Trusted Code" and "Trusted UI", not to mention the SOP constraint.

One of the WebCrypto goals were offering an alternative to the now deprecated signature plugins etc.  What has happened is that "Apps", have taken over the plugins' role in quite a few cases. Although working, theses schemes are often both clumsy and not "phish-safe".

I don't fully understand what kind of discussions you like to see in this list.

I think a lot of people would be awfully interesting hearing your thoughts (as a very technical representative of the payment industry), of the EMV-card use-case on the Web.

Anders

On 2015-10-12 21:57, Tony Arcieri wrote:
> On Monday, October 12, 2015, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     IE 11 is Microsoft's most recent browser for their currently largest installed base of Windows.
>     Why does it still require a workaround?  Probably because there's limited demand for WebCrypto.
>
>
> Anders,
>
> I already explained this to you, but let's try again:
>
> WebCrypto uses promises
>
> IE11 does not support promises
>
> Microsoft has no plans to add support for promises to IE11
>
> You started  this thread by linking to this article, which demonstrates Microsoft's commitment to WebCrypto in Edge:
>
> https://msdn.microsoft.com/en-us/library/dn904640(v=vs.85).aspx <https://msdn.microsoft.com/en-us/library/dn904640%28v=vs.85%29.aspx>
>
> In other words, the technical basis to your argument runs diametrical to your point (which is little more than instilling fear, uncertainty, and doubt about WebCrypto)
>
> Please stop posting threads like this. I can't tell if you're being actively deceptive to malicious ends, or are truly incapable of understanding the underlying concepts, but either way this has to stop.
>
> To the chairs: threads like this discourage reasoned technical discussion on this mailing list.
>
> -- 
> Tony Arcieri
>
Received on Tuesday, 13 October 2015 05:10:57 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 13 October 2015 05:10:58 UTC