W3C home > Mailing lists > Public > public-webcrypto-comments@w3.org > January 2013

WebCrypto High-Level API - Why?

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Fri, 25 Jan 2013 07:42:30 +0100
Message-ID: <51022956.4070604@telia.com>
To: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
I'm not sure what the High-Level API that has been mentioned a few times on the list actually
refers to but I guess it is something like Google's http://code.google.com/p/keyczar ?

Personally I don't understand why we should waste money on making cryptography useable by "n00bs"
rather than doing what we can making platforms more useful for those who actual master cryptography.

Related 1:
The other day I had the pleasure of evaluating a security protocol which used the "right/best"
encryption algorithm there is.  Although it appeared quite cool, the design inadvertently exposed a
secret PIN through a trivial off-line attack which again proved my thesis that the core issue is not
cryptographic algorithms, but security protocols.

Related 2:
<keygen> is an example of a W3C-standardized security-protocol


which has proved to be completely useless for any serious work, not due to its reliance on MD5,
but due to its crummy operation.  In fact, its uselessness was well-known even before W3C adopted
it but the Google and Apple editors insisted on its inclusion in HTML5.  Apple subsequently rejected
<keygen> in iOS and Microsoft publicly attested that they would never bother with it either.

Received on Friday, 25 January 2013 06:43:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:12:49 UTC