Re: polycrypt and webcrypto from Melvin Carvalho on 2014-11-01 (public-webcrypto-comments@w3.org from November 2014)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 1 Nov 2014 20:44:25 +0100
To: Ryan Sleevi <sleevi@google.com>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>, Richard Barnes <rlb@ipv.sx>
Message-ID: <CAKaEYhK5zQ_KbS+4TY=mRGX0XHx2b2Rmrpq6cp32_wUgb2d36w@mail.gmail.com>

On 1 November 2014 20:17, Ryan Sleevi <sleevi@google.com> wrote:

>
> On Nov 1, 2014 1:14 PM, "Melvin Carvalho" <melvincarvalho@gmail.com>
> wrote:
> >
> >
> >
> > On 1 November 2014 19:40, Richard Barnes <rlb@ipv.sx> wrote:
> >>
> >>
> >>
> >> On Sat, Nov 1, 2014 at 7:42 AM, Melvin Carvalho <
> melvincarvalho@gmail.com> wrote:
> >>>
> >>>
> >>>
> >>> On 1 November 2014 11:40, Anders Rundgren <
> anders.rundgren.net@gmail.com> wrote:
> >>>>
> >>>> On 2014-11-01 11:33, Melvin Carvalho wrote:
> >>>>>
> >>>>> I was wondering if anyone could point me to how close we are to
> getting browsers to implement web crypto in the browser.
> >>>>
> >>>>
> >>>> The shipping version of Chrome supports the current spec for RSA.
> >>>> Unfortunately the WebCrypto WG has decided that there should not be
> any mandatory algorithms.
> >>>>
> >>>> Firefox "Nightly" supports RSA and ECDH.
> >>>>
> >>>> IE 11 supports an earlier iteration of the spec.
> >>>
> >>>
> >>> Thank you, very helpful!
> >>>
> >>> From the sounds of it, it makes most sense to base current development
> using this spec on chromium, with some minor fixes as required.
> >>
> >>
> >> Note that recent versions of Firefox also have WebCrypto.  In version
> 34 (currently beta), it is on by default, and in version 33 (currently
> aurora), you can turn it on with "dom.webcrypto.enabled".
> >>
> >> Firefox also lacks the HTTPS restriction that Anders notes.
> >
> >
> > Oh, thanks for the info.  That sounds like a significant plus.
> >
>
> Not if you value security or the security of your users.
>

Good point.  Security is a concern, especially if a MITM can inject
malicious js to interact with key material.  But there's always a trade off
between convenience, security, and being developer friendly.  I should have
prefaced my comment by, imho, as a developer the choice is for me, a
significant plus.


> >>
> >>
> >>
> >>>
> >>> I share our surprise that there are no mandatory algorithms in this
> spec.
> >>
> >>
> >> This may change soon.  The plan is to look at what the first
> implementations have been able to achieve, and if there's a common set,
> make that a requirement going forward.
> >
> >
> > Great!
> >
> >>
> >>
> >> --Richard
> >>
> >>
> >>>
> >>>
> >>>>
> >>>>
> >>>> Anders
> >>>>
> >>>>
> >>>>>
> >>>>> I was looking at using http://polycrypt.net/ in the meantime but is
> that still maintained, it points to a 2012 version of the spec.
> >>>>
> >>>>
> >>>
> >>
> >
>

Received on Saturday, 1 November 2014 19:44:54 UTC