- From: Salz, Rich <rsalz@akamai.com>
- Date: Tue, 13 May 2014 09:04:45 -0400
- To: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
- CC: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Received on Tuesday, 13 May 2014 13:05:18 UTC
Thank you for your reply.
> I’m not sure that is entirely fair.
Perhaps. But by reading the public record, and the (tone of) my public discussions on this list, it’s a plausible conclusion to draw.
> So we’ve opted to take the approach of saying “It’s all scary, so ask an expert.”
My point is that experts have already weighed in and pointed out there are issues with existing uses of certain mechanisms in the way they are currently used. Since section 5.2 warns against creating new protocols, it seems a no-brainer to list items that are known to have problems. If you think my suggested warning leads to a (sic) false sense of security, then I would be delighted to see the WG strengthen it to avoid that.
My concern, as I have consistently tried to explain, is that you are unleashing a general-purpose cryptographic API with no warnings or practical security advice. In turn, the responses I have consistently heard, is that someone else should do that. We disagree.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rsalz@jabber.me<mailto:rsalz@jabber.me>; Twitter: RichSalz
Received on Tuesday, 13 May 2014 13:05:18 UTC