- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 23 Dec 2013 18:54:42 +0100
- To: sysapps <public-sysapps@w3.org>
Dear List,
I hope you don't mind if I exploit the huge competence this group have on browsers and JavaScript.
Anyway, I have developed a family of security-protocols that instead of exposing an API, build on
the idea invoking a specific application (anticipated being a part of a future browser) through a
call to a generic dispatcher JS function with a JSON object as the sole argument.
A simple request/response protocol:
http://webpki.org/papers/PKI/webauth.pdf#page=2
A pretty complex 5+5 pass protocol:
https://openkeystore.googlecode.com/svn/resources/trunk/docs/keygen2.html
There are two possible methods for expressing the JSON argument:
1. as JavaScript string: '{"a":2}'
2. as a JavaScript object {"a":2}
Now to my question...
Both methods should work but maybe there are reasons for selecting one of them?
Variant #1 requires the use of a JSON parser which variant two does not
but OTOH doing message parsing on an arbitrary JS object doesn't seem trivial
and for multi-pass systems like KeyGen2 you would need JSON parsing anyway
since the other messages are using direct communication.
A reason for not using an API for each application is that these applications are supposed to be
packaged in such a way that only the invocation would be public, a little bit like TLS works.
There is also a huge variation in input parameters which makes an API quite awkward.
In fact you would have to have arguments like "parm1=[6,79]" which means that you
end-up with some kind of JSON no matter what you do!
Recognizing protocols/application by the dispatcher is done through a simple registration system:
http://webpki.org/papers/keygen2/doc/org/webpki/json/JSONDecoderCache.html
Cheers,
Anders
Received on Monday, 23 December 2013 17:55:13 UTC