- From: Nikos Mavrogiannopoulos <nikos.mavrogiannopoulos@esat.kuleuven.be>
- Date: Thu, 23 May 2013 10:35:28 +0200
- To: <public-webcrypto-comments@w3.org>
- Cc: danny de cock <Danny.DeCock@esat.kuleuven.be>, Filipe Beato <filipe.beato@esat.kuleuven.be>
Hello, Our comments on the available Web Cryptography API are given below and on the few next e-mails. === Side effects of a low-level API === A low level API into javascript moves the notion of standards' based web communications security (which is now only available via the TLS protocol), to a web site-based communications security. Any website can advertise security features such as encrypted uploading of files, but a user can never verify whether the algorithms used are standards' based, or are correctly used. Most importantly he can barely verify that the algorithms are used at all. As it is now the API looks suitable for javascript plugins inside browsers or to intranet applications, but not for the public Internet. A solution to that approach would be to offer high level API to handle the common of the expected use cases of the low level API, and that high level API will use standardized protocols, implemented in the browser. For example: * An API to upload an encrypted and authenticated file -> the browser uses the standardized procedure and the user is notified by the browser that his file will be encrypted prior to uploading
Received on Thursday, 23 May 2013 10:12:58 UTC