- From: <bugzilla@jessica.w3.org>
- Date: Thu, 12 Jun 2014 22:51:48 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26080 --- Comment #6 from Ryan Sleevi <sleevi@google.com> --- (In reply to Greg Slepak from comment #5) > 1. See no longer rendered <BLINK> tag. Only worked because it was only one UA. And, FWIW, the HTML5 spec still describes how to parse it. > This bug started as an offshoot of bug 25839, where I was told (by you) in > not > precisely these words, that the Web Crypto API is not recommending that > specific > curves be implemented. WebCrypto IS normatively requiring that, if ECDSA or ECDH are supported as algorithms, the curves specified MUST be supported. WebCrypto is NOT requiring that ECDSA or ECDH are supported. > I wouldn't have created this bug if your spec offered a single safe curve, > but it does not, so it can be argued that the "tools" it's providing aren't > very good (currently). Hopefully a safe curve(s) will be added to the spec > soon. The misnomer of "safe curve" will continue to cause confusion. Truly unfortunate. > That doesn't mean, however, that in all cases the security of WebCrypto is > limited by TLS (for example, browser extensions that store pinned certs or > fingerprints locally would clearly have security exceeding that of TLS + > X.509). Extensions updated via TLS? That are signed with { RSA or ECDSA-using-the-NIST-curves }? Which are both UA-specific implementation details? > > A look forward for more (safer) curve diversity in the spec, and hope it > makes > it into the 1.0 (or w/e you call your final release). That is unlikely. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Thursday, 12 June 2014 22:51:49 UTC