[Bug 25985] WebCrypto should be inter-operable from bugzilla@jessica.w3.org on 2014-06-05 (public-webcrypto@w3.org from June 2014)

From: <bugzilla@jessica.w3.org>
Date: Thu, 05 Jun 2014 15:58:24 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25985-7213-Z5sJORaQJC@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25985

--- Comment #15 from Ryan Sleevi <sleevi@google.com> ---
(In reply to Boris Zbarsky from comment #11)
> 
> That doesn't answer my question, unfortunately.  How is this API envisioned
> to be used?

The same way developers have, for the past two decades, worked on every other
platform with a cryptographic API.

You try it. It either works, or it does not. If it does not, you inform your
users.

This is the reality of using the OS provided cryptographic APIs. Unless you
bake the cryptography in yourself - opening up a whole different can of worms
that are non-technical - you have limited guarantees. Even when the OS/library
has reference implementations for X, Y, Z - almost invariably, X/Y/Z can be
disabled.

> We have a set of 3D APIs where the underlying implementation may be OpenGL,
> DirectX, or software on the web today.  It's called WebGL.  This was done by
> only defining a lowest-common-denominator sort of API that could be
> implemented on top of other things.

Without belaboring the metaphor too much, I was *not* talking about things
today. I was describing what it would be like to try to standardize WebGL on
the APIs available 15 years ago. It would not have worked, if you're familiar
with the limitations of Glide/DirectX 3. You did not see the overlap.

> 
> We also have a set of 2D APIs on the web (canvas) that is implemented on top
> of all sorts of different graphics libraries.

Because software polyfills are possible. This is not the case with
cryptography, generally speaking.

> 
> Your situation is actually quite different, as I understand, because you're
> saying there _isn't_ actually meaningful lowest-common-denominator overlap
> of actual end-to-end functionality between crypto libraries.

There is agreement in what things are called, but yes, there is very little
practical agreement in capabilities.

I do *not* see this as a bad thing, because there are a lot of motivations for
why the world is this way.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 5 June 2014 15:58:25 UTC