Re: JS crypto? from Nathan on 2010-05-12 (public-webapps@w3.org from April to June 2010)

From: Nathan <nathan@webr3.org>
Date: Wed, 12 May 2010 17:30:47 +0100
To: Jeremy Orlow <jorlow@chromium.org>
CC: public-webapps <public-webapps@w3.org>, art.barstow@nokia.com, foaf-protocols <foaf-protocols@lists.foaf-project.org>
Message-ID: <4BEAD7B7.20604@webr3.org>

Arthur:
Thanks for pointing me in the right direction [1] :)

Jeremy:
Fully agree re the right time to explore the possibility.

I can think of many, many use cases - particularly in conjunction with 
work that's going on in the social, swxg, foaf, foaf-protocols, linked 
data, and read write web camps.

With foaf+ssl we have public keys in profiles used for authentication 
over HTTPS where the user has a certificate installed in the browser, 
since the public key is available it leads the way to encrypted 
communication over http between two parties, and also mounting 
information on the web which is encypted with those public keys, making 
it safe and secure - obviously if one where to pass the private key in 
to a server side application then security would be somewhat flawed, 
however if it's in the browser then this paves the way for almost 
infinite uses - including many web of trust related functions 
(particularly with signing resources exposed by uris).

So whilst usage may be somewhat low, I fully envision need and usage 
rising exponentially over the next few years and onwards, so a 
relatively early start at standardisation would indeed be a very good thing!

[1] http://lists.w3.org/Archives/Public/public-web-security/

Best,

Nathan

Jeremy Orlow wrote:
> This came up not too long ago in the context of persistent storage.  The
> verdict (IIRC) was that we're not interested in adding crypto just to
> the persistent storage APIs, but that we might be interested in adding a
> general crypto API.
> 
> Does anyone have any data for how widely used window.crypto and/or JS
> library alternatives are?  If they aren't widely used, maybe it's worth
> seeing if we can find use cases for crypto in the browser that aren't
> satisfied by JS libraries?
> 
> To answer your question, I'm not aware of any existing standardization
> efforts, but I think the time might be right to explore the possibility.
> 
> J
> 
> 
> On Wed, May 12, 2010 at 5:09 PM, Nathan <nathan@webr3.org> wrote:
> 
>> Hi All,
>>
>> Unsure if this is the best place to ask, but is there currently any JS (or
>> user agent) support for cryto functions such as sign/seal/encrypt/decrypt?
>>
>> Perhaps a working group, a draft, anything?
>>
>> I would be very keen to see crypto support in all the browsers standardized
>> and methods exposed to JS.
>>
>> For instance, if you have your public key on the web somewhere, I should be
>> able to seal a document using it, publish it on the web, and know that if
>> you visit that uri in your browser that it will decrypt it using the private
>> key from a certificate you have installed in the browser.
>>
>> Best & thanks in advance for any response,
>>
>> ps: aware of window.crypto in firefox/gecko
>>
>> Nathan
>>
>>
>

Received on Wednesday, 12 May 2010 16:32:12 UTC