W3C home > Mailing lists > Public > public-webcrypto@w3.org > September 2012

Re: feedback from CFRG

From: Wan-Teh Chang <wtc@google.com>
Date: Thu, 20 Sep 2012 16:51:40 -0700
Message-ID: <CALTJjxFRv8aSZ4SSKY=YWF5Net=8Bmp-8Br+n=xgjNvYiX_+dg@mail.gmail.com>
To: Zooko Wilcox-OHearn <zooko@leastauthority.com>
Cc: public-webcrypto@w3.org, Ryan Sleevi <sleevi@google.com>
Thanks to Tibor Jager for the review comments.

Ryan is right. The current low-level API is designed for developers
who understand the difference between PKCS #1 v1.5 and RSA OAEP, and
the problems with encryption without message authentication code. It'd
be a good idea to add a short paragraph to the Security Considerations
section about such issues (I seem to recall such a paragraph already
exists -- perhaps it just needs to be edited), but the API
specification needs to be mainly about specifying the API.

Wan-Teh
Received on Thursday, 20 September 2012 23:52:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 20 September 2012 23:52:08 GMT