- From: <bugzilla@jessica.w3.org>
- Date: Mon, 28 Jul 2014 19:40:58 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25721 --- Comment #21 from Ryan Sleevi <sleevi@google.com> --- (In reply to Tom Lowenthal from comment #20) > As it stands, the spec doesn't seem on track to implement a solution which > will be actually useful at achieving the first goal specified in the WG's > charter. I hope to find a solution which will allow developers to implement > trustworthy applications. Tom, This is a mischaracterization. The API allows you to generate such applications with unextractable keys. An application author is REQUIRED, by contract of the API, to specify whether or not they desire keys to be extractable. Again, to reiterate, if the API made all keys unextractable, then an application author CAN, just the same, use a purely JS polyfill (as SJCL, Forge, End to End, and countless others are PROOF of this), and have the EXACT SAME API and capabilities as exposed through Web Crypto API. So it does absolutely nothing to improve security to arbitrarily limit the API, since there is no reduction of capabilities in a polyfill, only a real and tangible reduction of security. Put differently: Your solution will make the web less secure. Provably. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Monday, 28 July 2014 19:41:00 UTC