- From: Anders Rundgren <anders.rundgren@telia.com>
- Date: Wed, 10 Jul 2013 05:18:20 +0200
- To: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
I believe the core Web Crypto API represent a very fine piece of engineering. One thing bothers me though and that is that the key generation/provisioning mechanisms in the current version of Web Crypto doesn't appear to provide anything above what is offered by <keygen> (Apple[OSX only]/Google/Mozilla) and CertEnroll (Microsoft), which both have received a close to a 100% reject by for example the financial industry. That the latter haven't spurred any action in for example Redmond is because US banks have never gotten the grip on consumer authentication and "unusual" requirement from foreign markets doesn't really count :-) However, I'm apparently not the only person who doesn't accept status quo; Google's recently launched Gnubby scheme https://sites.google.com/site/oauthgoog/gnubby adds quite a bunch of missing functionality and also seems to be a *direct replacement* of Web Crypto's key generation/storage method. FWIW, I'm pretty convinced that various non-standard "SOP emulation" schemes (like Samuel Erdtman's super-simple X.509-based extension concept), will long-term be more important for usage with Web Crypto than the "native" key generation which probably is more suitable for creating ephemeral keys in protocols. Some of these systems will also "reintegrate" and unite the platform with respect to key provisioning and key storage. There's hardly an advantage having 3 different systems for managing and storing keys like in Android. A key is a key :-) Anders
Received on Wednesday, 10 July 2013 03:18:53 UTC