Re: [Web Crypto WG] about defining profiles from Charles Engelke on 2015-03-05 (public-webcrypto@w3.org from March 2015)

From: Charles Engelke <w3c@engelke.com>
Date: Thu, 5 Mar 2015 12:28:01 -0500
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CAFeVzdymsHZFVCcCV64LaS0W4PJTrx7c0hRhVqYWJk6t569GGg@mail.gmail.com>

On Thu, Mar 5, 2015 at 5:44 AM, GALINDO Virginie
<Virginie.Galindo@gemalto.com> wrote:
> Dear all,
>
> a question to the WG members (and specially to implementers) related to
> defining profile(s) and tracked into the bug 25985 [1].

As a developer, not UA implementer, I would find profiles very useful,
especially a minimal one that all UAs support. That should include at
least one each of PK signing, PK encryption, symmetric encryption,
HMAC, hash, and key derivation. With those universally available I
could build applications that could communicate with each other
regardless of the browser they run on.

> - what is the current overlapping coverage of algorithms across the
> implementations ?

It appears that browser makers pretty much support a common set of
those kinds of algorithms (almost). I've got some sample applications
at https://github.com/infotechinc, and have found that every browser
I've tried that supports web crypto at all runs all of them
successfully except key derivation. Specifically, I've found universal
support for RSASSA-PKCS1-v1_5, RSA-OAEP, AES-CBC, and SHA-256. Only
Chrome Canary and Opera Developer support PBKDF2 at this time.

I've tried these apps on Chrome, Opera, and Firefox on Ubuntu Linux
and Windows 7, and Chrome on Android 5.0. (I'm still tickled that the
ones that don't use files work on my Android Wear watch, too.) I'm
putting together a table of browser support based on those apps plus
the results from the Web Cryptography API Live Table from
https://diafygi.github.io/webcrypto-examples/ . I'll share that when
it's done, probably within a day or two.

I've also found Safari on OS/X, which has a prefixed subtle crypto
implementation, seems to support many of the apps but still has issues
that keep most of them from working. I haven't tried Internet
Explorer's prefixed implementation because it is based on a much
earlier version of the API that isn't compatible with the current one.

> - what is your feeling about having a profile captured into a document ?
> - which level of normalization would you like ot see associated with that
> document ? (being a note, a recommendation...).

I would very much like that. I'm not set on any particular level of
normalization, probably because I don't have a good understanding of
the differences.

Thanks,

Charlie
-- 
Charles Engelke, Chief Technology Officer
Info Tech, Inc.
Phone: +1 (352) 381-4400

Received on Thursday, 5 March 2015 17:28:30 UTC