W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: JS crypto?

From: Ben Laurie <benl@google.com>
Date: Thu, 13 May 2010 16:31:28 +0100
Message-ID: <r2v1b587cab1005130831l3a2665c5w61b2679f32adf138@mail.gmail.com>
To: Marcin Hanclik <Marcin.Hanclik@access-company.com>
Cc: "nathan@webr3.org" <nathan@webr3.org>, Jeremy Orlow <jorlow@chromium.org>, public-webapps <public-webapps@w3.org>, "art.barstow@nokia.com" <art.barstow@nokia.com>, foaf-protocols <foaf-protocols@lists.foaf-project.org>
On 12 May 2010 17:54, Marcin Hanclik <Marcin.Hanclik@access-company.com>wrote:

> Hi Nathan,
>
> This seems to be the current related standardization effort:
> http://bondidev.omtp.org/1.5/crypto.html
> =
> http://bondi01.obe.access-company.com/1_5_5602_145/crypto.html


I find it slightly worrying that the first example I come across uses ECB
mode with no padding!

Anyway, this has long been on my list of things to worry about when I get
the time, so I'd be very happy to help out if that'd be useful.


>
>
> Past related efforts were less robust (just signText in WMLScript) in
> http://www.openmobilealliance.org/tech/affiliates/LicenseAgreement.asp?DocName=/wap/wap-161-wmlsscriptcrypto-20010620-a.pdf
>
> Thanks,
> Marcin
>
>
> Marcin Hanclik
> ACCESS Systems Germany GmbH
> Tel: +49-208-8290-6452  |  Fax: +49-208-8290-6465
> Mobile: +49-163-8290-646
> E-Mail: marcin.hanclik@access-company.com
>
> -----Original Message-----
> From: public-webapps-request@w3.org [mailto:public-webapps-request@w3.org]
> On Behalf Of Nathan
> Sent: Wednesday, May 12, 2010 6:31 PM
> To: Jeremy Orlow
> Cc: public-webapps; art.barstow@nokia.com; foaf-protocols
> Subject: Re: JS crypto?
>
> Arthur:
> Thanks for pointing me in the right direction [1] :)
>
> Jeremy:
> Fully agree re the right time to explore the possibility.
>
> I can think of many, many use cases - particularly in conjunction with
> work that's going on in the social, swxg, foaf, foaf-protocols, linked
> data, and read write web camps.
>
> With foaf+ssl we have public keys in profiles used for authentication
> over HTTPS where the user has a certificate installed in the browser,
> since the public key is available it leads the way to encrypted
> communication over http between two parties, and also mounting
> information on the web which is encypted with those public keys, making
> it safe and secure - obviously if one where to pass the private key in
> to a server side application then security would be somewhat flawed,
> however if it's in the browser then this paves the way for almost
> infinite uses - including many web of trust related functions
> (particularly with signing resources exposed by uris).
>
> So whilst usage may be somewhat low, I fully envision need and usage
> rising exponentially over the next few years and onwards, so a
> relatively early start at standardisation would indeed be a very good
> thing!
>
> [1] http://lists.w3.org/Archives/Public/public-web-security/
>
> Best,
>
> Nathan
>
>
> Jeremy Orlow wrote:
> > This came up not too long ago in the context of persistent storage.  The
> > verdict (IIRC) was that we're not interested in adding crypto just to
> > the persistent storage APIs, but that we might be interested in adding a
> > general crypto API.
> >
> > Does anyone have any data for how widely used window.crypto and/or JS
> > library alternatives are?  If they aren't widely used, maybe it's worth
> > seeing if we can find use cases for crypto in the browser that aren't
> > satisfied by JS libraries?
> >
> > To answer your question, I'm not aware of any existing standardization
> > efforts, but I think the time might be right to explore the possibility.
> >
> > J
> >
> >
> > On Wed, May 12, 2010 at 5:09 PM, Nathan <nathan@webr3.org> wrote:
> >
> >> Hi All,
> >>
> >> Unsure if this is the best place to ask, but is there currently any JS
> (or
> >> user agent) support for cryto functions such as
> sign/seal/encrypt/decrypt?
> >>
> >> Perhaps a working group, a draft, anything?
> >>
> >> I would be very keen to see crypto support in all the browsers
> standardized
> >> and methods exposed to JS.
> >>
> >> For instance, if you have your public key on the web somewhere, I should
> be
> >> able to seal a document using it, publish it on the web, and know that
> if
> >> you visit that uri in your browser that it will decrypt it using the
> private
> >> key from a certificate you have installed in the browser.
> >>
> >> Best & thanks in advance for any response,
> >>
> >> ps: aware of window.crypto in firefox/gecko
> >>
> >> Nathan
> >>
> >>
> >
>
>
>
> ________________________________________
>
> Access Systems Germany GmbH
> Essener Strasse 5  |  D-46047 Oberhausen
> HRB 13548 Amtsgericht Duisburg
> Geschaeftsfuehrer: Kiyoyasu Oishi, Tomonori Watanabe, Yusuke Kanda
>
> www.access-company.com
>
> CONFIDENTIALITY NOTICE
> This e-mail and any attachments hereto may contain information that is
> privileged or confidential, and is intended for use only by the
> individual or entity to which it is addressed. Any disclosure, copying or
> distribution of the information by anyone else is strictly prohibited.
> If you have received this document in error, please notify us promptly by
> responding to this e-mail. Thank you.
>
>
Received on Thursday, 13 May 2010 16:05:15 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT