Re: security of a client-side JS API? from Seetharama Rao Durbha on 2012-11-01 (public-webcrypto-comments@w3.org from November 2012)

From: Seetharama Rao Durbha <S.Durbha@cablelabs.com>
Date: Thu, 1 Nov 2012 15:18:09 -0600
To: "Richard L. Barnes" <rbarnes@bbn.com>, "Arthur D. Edelstein" <arthuredelstein@gmail.com>
CC: Mountie Lee <mountie.lee@mw2.or.kr>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CCB842FF.7742%s.durbha@cablelabs.com>

On 11/1/12 10:13 AM, "Richard L. Barnes" <rbarnes@bbn.com<mailto:rbarnes@bbn.com>> wrote:

I think End-to-End encryption is easily implementable with current webcrypto
API spec.
My feeling is that truly private, end-to-end encryption using the
WebCrypto API (or indeed any JS crypto library) is only possible if
implemented in an open-source browser extension, such as Cryptocat. As
far as I can tell, it is not possible in a web app using the WebCrypto
API.
standardization for E2E is diffucult issue.
Probably, but some reasonably simple standards should be possible. For
example, encrypting/decrypting text and encrypting/decrypting files
look like two relatively simple and fairly general use cases.
Best regards,
Arthur


If you don't trust the downloaded JavaScript, why are you using a web app?  If you have to download a browser extension, then you might as well install a dedicated application.  ISTM that your definition of E2E is not really germane to this working group.

Exactly my opinion  as well. Well said.


--Richard

Received on Thursday, 1 November 2012 21:18:47 UTC