- From: Wan-Teh Chang <wtc@google.com>
- Date: Thu, 20 Sep 2012 16:51:40 -0700
- To: Zooko Wilcox-OHearn <zooko@leastauthority.com>
- Cc: public-webcrypto@w3.org, Ryan Sleevi <sleevi@google.com>
Thanks to Tibor Jager for the review comments. Ryan is right. The current low-level API is designed for developers who understand the difference between PKCS #1 v1.5 and RSA OAEP, and the problems with encryption without message authentication code. It'd be a good idea to add a short paragraph to the Security Considerations section about such issues (I seem to recall such a paragraph already exists -- perhaps it just needs to be edited), but the API specification needs to be mainly about specifying the API. Wan-Teh
Received on Thursday, 20 September 2012 23:52:08 UTC