Re: On Registries from Ryan Sleevi on 2014-08-07 (public-webcrypto@w3.org from August 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Thu, 7 Aug 2014 15:31:56 -0700
To: Richard Barnes <rlb@ipv.sx>
Cc: Mike Jones <Michael.Jones@microsoft.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWvbvGipzkPho_R-NOLOpFFeuQN6f3CHjje1484Tf4T7qJA@mail.gmail.com>

On Thu, Aug 7, 2014 at 3:24 PM, Richard Barnes <rlb@ipv.sx> wrote:

>
> In terms of actual API, it makes sense to me to keep the idioms we have
> right now, i.e., crypto.subtle.encrypt(alg) rather than
> crypto.subtle.alg.encrypt().
>

Right, I was not and am not proposing we change the API (though that was
something I discussed three years ago, but we just sorta 'meh'd it, since
it would have made smart cards a bit weird).

> But in terms of managing extensibility, I agree with Ryan that it's
> prudent to take a consensus-based approach rather than a more liberal
> registry-based approach.  At least for "official" algorithms that web
> developers can expect to have support for across the web (vs.
> vendor-specific or experimental algorithms).
>
> --Richard
>
>
Right, I am trying to establish how, from a developer perspective (i.e
"What can I write for the Web" and "How do I use it"), that "AES-GCM" as a
string is no different than aes_gcm as a method is no different than
window.performance. That is, it's something that if a UA is going to start
shipping, then they're going to create issues when websites start to use
that.

Now, different UAs have different approaches to this. Blink's / Chromium's
process is detailed here - http://www.chromium.org/blink#launch-process . I
don't have handy links to Mozilla's (although I think Blink and Moz have
been harmonizing pretty much on the same principles). Historically, UAs
(including Chromium) would alternatively do vendor prefixes. Of course,
that creates its own set of issues (
http://blogs.msdn.com/b/ie/archive/2014/07/31/the-mobile-web-should-just-work-for-everyone.aspx
)

We need to avoid that for WebCrypto.

If we recognize that every algorithm, at least shipped in a UA (e.g. what
this W3C WG formally cares about, although we take particular care for
other use cases/profiles), is an intrinsic part of the Web API, much like
IndexedDB or Performance Timing or Service Workers, then a registry doesn't
make sense. Because the Web doesn't have an "API registry". It has specs
and standards, and WGs (WebApps, WebAppSec, ... WebCrypto) and
Organizations (W3C, WHATWG).

That's why I don't see "AES-GCM" any different than "Service Worker"

Received on Thursday, 7 August 2014 22:32:24 UTC