[whatwg] Cryptographically strong random numbers from Adam Barth on 2011-02-14 (public-whatwg-archive@w3.org from February 2011)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 14 Feb 2011 02:47:18 -0800
Message-ID: <AANLkTine3zgOcRNZTCOmAnPLXy6-EW4TLw8UJPnNtxgH@mail.gmail.com>

On Sun, Feb 13, 2011 at 10:12 PM, Mark S. Miller <erights at google.com> wrote:
> On Sun, Feb 13, 2011 at 6:37 PM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
>> On 2/13/11 8:22 PM, Adam Barth wrote:
>>> It seems likely that window.crypto will continue to grow more quality
>>> cryptographic APIs, not all of which will be appropriate at the
>>> ECMAScript level.
>>>
>>
>> Sure; the question is whether this _particular_ API would be more
>> appropriate at the language level. ?Or more to the point, if the language
>> plans to grow it anyway, do we need two APIs for it?
>>
>> It's worth at least checking with the ES folks whether they plan to add a
>> API like this (something that fills in an array of bytes with
>> cryptographically strong random values) in any sort of short-term timeframe.
>
> Thanks for checking. The answer is yes. I'm scheduled to start a discussion
> of <http://wiki.ecmascript.org/doku.php?id=strawman:random-er> at either the
> upcoming March or May meetings. Currently random-er is on the agenda for May
> but I may swap it into March. As you can tell, this page is currently only a
> placeholder.
>
> I have also talked just a bit with Shabsi Walfish, Ben Laurie, David Wagner,
> and Bill Frantz, all cc'ed, about the possibility of a real crypto API for
> EcmaScript. With the sole exception of randomness, I believe that we should
> handle this the same way we're handling i18n -- as a separate working group
> within tc39 (the EcmaScript committee) working on a separate standard
> library in a separate standards document. The reason to make an exception
> for random-er is that it's the only fundamental omission. Given a decent
> random-er, everything else can be done initially in JS.

That's a pretty long time horizon.  You're going to start discussing
it in 2-4 months?  That seems a bit overwrought for what amounts to
four lines of code.

In any case, I don't mean to discourage you.  Having nice crypto APIs
available to JavaScript would be quite useful.

Adam

Received on Monday, 14 February 2011 02:47:18 UTC