comments on web crypto API: Side effects of a low-level API [1/6]

  Our comments on the available Web Cryptography API are given below and 
on the few next e-mails.

=== Side effects of a low-level API ===
A low level API into javascript moves the notion of standards' based 
web communications security (which is now only available via the TLS 
protocol), to a web site-based communications security. Any website can 
advertise security features such as encrypted uploading of files, but a 
user can never verify whether the algorithms used are standards' based, 
or are correctly used. Most importantly he can barely verify that the 
algorithms are used at all. As it is now the API looks suitable for 
javascript plugins inside browsers or to intranet applications, but not 
for the public Internet.

A solution to that approach would be to offer high level API to handle 
the common of the expected use cases of the low level API, and that high 
level API will use standardized protocols, implemented in the browser. 
For example:
* An API to upload an encrypted and authenticated file
  -> the browser uses the standardized procedure and the user is 
notified by the browser that his file will be encrypted prior to 

Received on Thursday, 23 May 2013 10:12:58 UTC