W3C home > Mailing lists > Public > public-webcrypto-comments@w3.org > November 2012

Re: security of a client-side JS API?

From: Richard L. Barnes <rbarnes@bbn.com>
Date: Thu, 1 Nov 2012 17:13:00 +0100
Cc: Mountie Lee <mountie.lee@mw2.or.kr>, public-webcrypto-comments@w3.org
Message-Id: <70855750-72B5-4DE1-AB25-46FFD039ED61@bbn.com>
To: "Arthur D. Edelstein" <arthuredelstein@gmail.com>
>> I think End-to-End encryption is easily implementable with current webcrypto
>> API spec.
> 
> My feeling is that truly private, end-to-end encryption using the
> WebCrypto API (or indeed any JS crypto library) is only possible if
> implemented in an open-source browser extension, such as Cryptocat. As
> far as I can tell, it is not possible in a web app using the WebCrypto
> API.
> 
>> standardization for E2E is diffucult issue.
> 
> Probably, but some reasonably simple standards should be possible. For
> example, encrypting/decrypting text and encrypting/decrypting files
> look like two relatively simple and fairly general use cases.
> 
> Best regards,
> Arthur


If you don't trust the downloaded JavaScript, why are you using a web app?  If you have to download a browser extension, then you might as well install a dedicated application.  ISTM that your definition of E2E is not really germane to this working group.

--Richard
Received on Thursday, 1 November 2012 16:13:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 1 November 2012 16:13:37 GMT