- From: Jeffrey Walton <noloader@gmail.com>
- Date: Mon, 11 Mar 2013 23:56:37 -0400
- To: Ryan Sleevi <sleevi@google.com>
- Cc: public-webcrypto-comments@w3.org
Hi Ryan, I was trying to find a way to help developers understand that some constructs are not as safe as others. For example, MD5 vs SHA or PKCS#1 Padding vs OAEP. I was thinking a namespace could be used to help make the distinction. For example, MD5 and PKCS#1 could be placed in an 'unsafe', 'weak', or 'interop' namespace. Within the documentation, you could offer a warning. The additional typing alone would probably be all the deterrent you need :) Otherwise, developers will jump on the old band wagon they know even though WebCrypto has given them more secure or desirable options. Put another way, how do you help a developer or save a developer from himself/herself when he/she is under tremendous pressures to deliver (and may not have the time to research)? Devil's advocate: how many developers will take the time to locate the paper "The Million Message Attack in 15 000 Messages" and understand the implications on a high volume web server? Jeff On Mon, Mar 11, 2013 at 11:00 PM, Ryan Sleevi <sleevi@google.com> wrote: > DOM APIs don't really have namespaces. The closest approximation is the fact > that the SubtleCrypto interface provides the low-level interface, as part of > window.crypto.subtle. > > Perhaps you had a different concept in mind? Note this is not a Constructor > pattern as seen in some non-DOM APIs (Most DOM APIs go in the global scope.) > > On Mar 11, 2013 7:53 PM, "Jeffrey Walton" <noloader@gmail.com> wrote: >> >> Hi All, >> >> Will WebCrypto be going into its own namespace? >> >> It does not appear to be discussed at >> https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html.
Received on Tuesday, 12 March 2013 03:57:05 UTC