- From: <bugzilla@jessica.w3.org>
- Date: Thu, 05 Jun 2014 01:58:50 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25985 --- Comment #3 from Ryan Sleevi <sleevi@google.com> --- (In reply to Boris Zbarsky from comment #2) > Are we in a position where we can require that at least one of certain > subsets of algorithms be supported? Right now a browser could ship the > crypto API, implement no algorithms at all, and claim compliance. That's > clearly not desirable. I agree, not desirable, but I don't see how, given the situation I described, requiring algorithms can possibly be implemented. Consider a hypothetical world where we require algorithms X, Y, and Z. Let's say that the user of a particular user agent decide's that Z is unacceptably insecure, because they believe a government they do not trust backdoored the design of Z. Thus, they wish to disable Z. Are they prevented now from using X and Y - even when they're perfectly secure? If that sounds hypothetical, it's not. Z, in this case, is ECC with the NIST curves. So let's say we spec'd "NIST curves and Curve25519 and Brainpool" (Bug 25839). Now users within the US government are prohibited from using Curve25519/Brainpool, so they wish to disable those curves. Are they too now prevented from using WebCrypto? Let's look how this applies to other specifications though. Is it against interoperability if a user agent doesn't implement <img> support? Or allows the users to disable images? What about Javascript? Cookies? Location APIs? Is it against interoperability if a (generic, desktop) UA that supports the location API executes on a device that does not have access to location information? Or that the location information may be mediated by the OS, and does not provide signals as to when it doesn't have a location? Similarly, if a UA restricts access to audio/video access (via getUserMedia()), is it against interoperability? The API has been structured to provide normative requirements for the 'shape' of the API (the bindings, inputs, outputs), and normative requirements within an algorithm (to the degree possible), but treats each 'algorithm' as if it were one of these device capabilities - a webcam, a microphone, a location, image support, etc - because within the realm of (political, legal, administrative, regulatory) spheres, that's how they're treated: distinct, independent parts. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Thursday, 5 June 2014 01:58:52 UTC