Re: Drastically cutting primary features [was Re: Last call for public comments on Web Crypto charter]

Brian Smith wrote:
> Mark Watson wrote:
> > The possibility to develop secure application protocols in
> > Javascript,
> > without using TLS, is exactly the one of the points of this API, at
> > least for us.
> I do anticipate this work enabling substitutes for TLS.

Of course, I wrote exactly the opposite of what I meant:

I do NOT anticipate this work enabling substitutes for TLS.

> I wouldn't be surprised if some uses of key material and/or
> transmissions of key material were specifically restricted to
> authenticated and encrypted (i.e. TLS) connections by implementations.
> The key material is going to be traceable to the user's identity so it
> will likely have to be protected to the same extent as the user's
> identity is.
> Browser makers seem keen to prevent any new mixed content scenerios.
> AFAICT, that means that the browser has to understand at least some of
> the security properties of the transport security protocol used, to
> ensure that transport security protocol has the same/similar
> properties that TLS has. The easiest way to do that would be to just
> have all applications use TLS. If TLS isn't appropriate for some
> applications like streaming video, then we should have a (separate?)
> discussion of how that is going to work.
> - Brian

Received on Friday, 25 November 2011 03:05:36 UTC