W3C home > Mailing lists > Public > public-webcrypto@w3.org > September 2012

Suggestions on high-level API - perhaps a meeting next week?

From: Harry Halpin <hhalpin@w3.org>
Date: Mon, 24 Sep 2012 22:44:39 +0200
Message-ID: <5060C637.4000905@w3.org>
To: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Looking at various discussions about the Web Crypto API, it seems that 
most of the concern is the "footgun" problem, i.e. we are giving 
developers a gun to shot themselves in the foot. Most of the concern 
seems to be over the JS environment as a whole, but there is 
considerable concern over the larger issues related to the Web Security 
Model (i.e. CSP.). I'll draft some text on how the Web Crypto API only 
solves a limited part of the problem (i.e. primitives for 
re-implementing existing work, random number generation, key storage). 
However, it would behoof us by our next WD release to actually *address* 
these concerns. The primary concern seems to be having a high-level APIs 
(which would require pushing on the discovery algorithm).

Thus, my suggestion is that we start at least collecting examples of 
good high-level APIs and comparing their functions, and see if we can 
get a clear consensus. These three come up off top of my head:

1) DOMCrypt - This is David Dahl, who is one of co-editors and a member 
of our WG.

2) Stanford Crypto API - Dan Boneh, Mike Hamburg, and Emily Stark (who 
is on our WG)

3) KeyCzar - this is Steve Weis/Ben Laurie from Google. Shall we ping 
them? @Rsleevi and @wtc?

We could get a call devoted to this topic, and maybe invite some of the 
folks that aren't in our WG. I'd be happy to go for this next week 
unless we want to prioritze other issues!

    cheers,
      harry

[1] https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest
[2] http://crypto.stanford.edu/sjcl/
[3] http://www.keyczar.org/
Received on Monday, 24 September 2012 20:45:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 September 2012 20:45:04 GMT