W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2014

[Bug 25842] New: Web developers given enough crypto rope to shoot selves in foot

From: <bugzilla@jessica.w3.org>
Date: Tue, 20 May 2014 23:54:11 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25842-7213@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25842

            Bug ID: 25842
           Summary: Web developers given enough crypto rope to shoot
                    selves in foot
           Product: Web Cryptography
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Web Cryptography API Document
          Assignee: sleevi@google.com
          Reporter: me@tomlowenthal.com
                CC: public-webcrypto@w3.org

Web developers are offered a whole grab bag of crypto algorithms and
primitives. 

This is not fundamentally problematic: there may be web developers who are
deeply familiar with cryptography and have the wherewithall to reasonably
evaluate which algorithms they should and should not be using. However, most
web developers are not.

Providing a recipe book of algorithms makes it unreasonably easy for web
developers to pick wrong. In addition to making a wide range of primitives
available to those who know what they're doing, the spec should take advantage
of the considerable cryptographic expertise in the WG to construct secure,
simple-to-use high-level primitives and recommend that most developers use
them.

DJB's NaCl library provides a good illustration of how to both provide secure
default operations and make numerous primitives available for advanced
applications.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Tuesday, 20 May 2014 23:54:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC