- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Sat, 1 Nov 2014 20:44:25 +0100
- To: Ryan Sleevi <sleevi@google.com>
- Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>, Anders Rundgren <anders.rundgren.net@gmail.com>, Richard Barnes <rlb@ipv.sx>
- Message-ID: <CAKaEYhK5zQ_KbS+4TY=mRGX0XHx2b2Rmrpq6cp32_wUgb2d36w@mail.gmail.com>
On 1 November 2014 20:17, Ryan Sleevi <sleevi@google.com> wrote: > > On Nov 1, 2014 1:14 PM, "Melvin Carvalho" <melvincarvalho@gmail.com> > wrote: > > > > > > > > On 1 November 2014 19:40, Richard Barnes <rlb@ipv.sx> wrote: > >> > >> > >> > >> On Sat, Nov 1, 2014 at 7:42 AM, Melvin Carvalho < > melvincarvalho@gmail.com> wrote: > >>> > >>> > >>> > >>> On 1 November 2014 11:40, Anders Rundgren < > anders.rundgren.net@gmail.com> wrote: > >>>> > >>>> On 2014-11-01 11:33, Melvin Carvalho wrote: > >>>>> > >>>>> I was wondering if anyone could point me to how close we are to > getting browsers to implement web crypto in the browser. > >>>> > >>>> > >>>> The shipping version of Chrome supports the current spec for RSA. > >>>> Unfortunately the WebCrypto WG has decided that there should not be > any mandatory algorithms. > >>>> > >>>> Firefox "Nightly" supports RSA and ECDH. > >>>> > >>>> IE 11 supports an earlier iteration of the spec. > >>> > >>> > >>> Thank you, very helpful! > >>> > >>> From the sounds of it, it makes most sense to base current development > using this spec on chromium, with some minor fixes as required. > >> > >> > >> Note that recent versions of Firefox also have WebCrypto. In version > 34 (currently beta), it is on by default, and in version 33 (currently > aurora), you can turn it on with "dom.webcrypto.enabled". > >> > >> Firefox also lacks the HTTPS restriction that Anders notes. > > > > > > Oh, thanks for the info. That sounds like a significant plus. > > > > Not if you value security or the security of your users. > Good point. Security is a concern, especially if a MITM can inject malicious js to interact with key material. But there's always a trade off between convenience, security, and being developer friendly. I should have prefaced my comment by, imho, as a developer the choice is for me, a significant plus. > >> > >> > >> > >>> > >>> I share our surprise that there are no mandatory algorithms in this > spec. > >> > >> > >> This may change soon. The plan is to look at what the first > implementations have been able to achieve, and if there's a common set, > make that a requirement going forward. > > > > > > Great! > > > >> > >> > >> --Richard > >> > >> > >>> > >>> > >>>> > >>>> > >>>> Anders > >>>> > >>>> > >>>>> > >>>>> I was looking at using http://polycrypt.net/ in the meantime but is > that still maintained, it points to a 2012 version of the spec. > >>>> > >>>> > >>> > >> > > >
Received on Saturday, 1 November 2014 19:44:54 UTC