- From: Salz, Rich <rsalz@akamai.com>
- Date: Mon, 5 May 2014 13:38:42 -0400
- To: Ryan Sleevi <sleevi@google.com>
- CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Received on Monday, 5 May 2014 17:39:11 UTC
Ø start making opinionated design decisions, you no longer have an API toolbox –
Gee, not even well-informed opinions? ☺ I agree it’s a toolbox. My concern is that it is a toolbox with no guidance, operating instructions, or safety goggles.
GlobalSign is a neat hack. But is it really a use-case? I have a colleague who implemented SHA-1 in XSLT. Is that a use-case?
> Consider, for example, how SMTP over TLS buys *nothing* for E2E email security, in a land of MX relays. You can trust your mail server, your peer could trust theirs, but in the world of MX and SMTP, that doesn't mean anything.
Which is why I didn’t include it in my “just use TLS” list.
> Conflating with ActiveX is... inaccurate, to say it politely.
ActiveX sent object code to the browser. You want JS, sent from a server, to be able to do anything that native code can do. Seems like a reasonable vcomparison to me, and worth learning from.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz@jabber.me<mailto:rsalz@jabber.me>; Twitter: RichSalz
Received on Monday, 5 May 2014 17:39:11 UTC