FW: [WebCryptoAPI] from Thomas Kopp on 2013-08-07 (public-webcrypto-comments@w3.org from August 2013)

From: Thomas Kopp <thomas.kopp@luxtrust.lu>
Date: Wed, 7 Aug 2013 15:52:27 +0000
To: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <A9B3A0F5D6AEB249BEFEC687015871105F70F44A@sphere.LTMASTER.local>

Dear all,

This project seems to be very interesting and could solve a couple of problems. Enclosed, please find some questions:


-          What is the status of the project? In particular, are the indicated planning and milestones still up-to-date?

-          Which browser vendors will support the API? Any commitments yet?

-          Will support also be available on mobile platforms?

-          Important: This API exposes sensitive functionality that is supposed to be called via JavaScript. Unfortunately, JavaScript has no cross-platform support for using signed code only. As a consequence, this API risks to be a first class candidate for attackers, since it permits executing sensitive operations in potentially unsecure environments. Thus, it would be desirable that the same workgroup also covers code signing of JavaScript and proposes a cross-platform approach with recommendation to the API vendors for implementing it. This strategy would not only permit performing signature operations via JavaScript, but also to protect applications (and their users) employing such an approach.

Received on Wednesday, 7 August 2013 21:15:45 UTC