Re: WebCrypto: JSON data encoding debate from Ryan Sleevi on 2014-03-24 (www-tag@w3.org from March 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 24 Mar 2014 10:25:10 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Alex Russell <slightlyoff@google.com>, "www-tag@w3.org List" <www-tag@w3.org>, Yehuda Katz <wycats@gmail.com>
Message-ID: <CACvaWvY+LqVRk4wycOvHHXfECnpnNT3JETL1kCgLoQ3x6-tcyQ@mail.gmail.com>

On Mon, Mar 24, 2014 at 10:18 AM, Anne van Kesteren <annevk@annevk.nl>wrote:

> On Mon, Mar 24, 2014 at 5:11 PM, Ryan Sleevi <sleevi@google.com> wrote:
> > Obviously, I'm biased. However, hopefully the TAG can provide their input
> > and guidance on the design of this, because it's clear that there's no
> > progress being made in the WG on this issue. This is rather unfortunate,
> but
> > since much of the debate is on a matter of "design smells" (whether it
> is or
> > is not a smell to support the two methods simultaneously, whether it is
> or
> > is not a smell to require Encoding spec), the TAG seems uniquely
> qualified
> > to provide input.
>
> When would you want the ArrayBuffer? If you want it frequently and
> performance is critical you might want to expose that. If not, it
> seems exposing just the object is fine. Note that you could also
> expose an actual object and define its toJSON...
>

Since serialization to JWK may involve access to keying material, it's done
asynchronously, since the underlying APIs may themselves block
(particularly if/when talking about other types of cryptographic key
storage). So defining toJSON on the Key object doesn't fly without
preventing these.

As for when ArrayBuffer, only one (very vocal) member has come out in
support of it, but without a use case beyond "wire transport", so it's very
difficult to evaluate the performance requirements. That said,
"performance" appears to be a fairly weak argument, in light of
http://lists.w3.org/Archives/Public/public-webcrypto/2014Mar/0176.html

Am I/are we missing any considerations with respect to the JS object route
that might impact this? For example, nuances of WebIDL or the environment?
Boris Z. mentioned some of the things at
http://lists.w3.org/Archives/Public/public-webcrypto/2014Mar/0156.html

Absent performance considerations, is there a good reason to support both
methods? It seems more detrimental, from an API design smell, to give lots
of little options.

>
> Also, somewhat related, why are Key objects not something you can
> transfer/copy through postMessage? Someone keeps bringing up "local
> CORS" over on public-webappsec
>
> http://lists.w3.org/Archives/Public/public-webappsec/2014Mar/thread.html#msg9
> but it seems like he really wants a way for crypto objects to passed
> around.
>
>
> --
> http://annevankesteren.nl/
>

Received on Monday, 24 March 2014 17:31:31 UTC