[whatwg] window.cipher HTML crypto API draft spec from =JeffH on 2011-05-20 (public-whatwg-archive@w3.org from May 2011)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Fri, 20 May 2011 13:36:52 -0700
Message-ID: <4DD6D0E4.9060804@KingsMountain.com>

 > With user control and privacy in mind, I have created a spec and an
 > implementation for an easy to use cryptography API called DOMCrypt. This API
 > will provide each web browser window with a 'cipher' property that
 > facilitates:
 >
 > * asymmetric encryption key pair generation
 > * public key encryption
 > * decryption
 > * signature generation
 > * signature verification
 > * hashing
 > * easy public key discovery via meta tags
 >
 > I have created a Firefox extension that implements all of the above, and am
 > working on an experimental patch that integrates this API into Firefox.

A subtle-but-important aspect to note about the above is that you impl'd it via 
interfacing to the in-browser NSS API rather than (re)coding it in JS.


 > The draft spec is here:
 > https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest

It's an interesting start, but the methods of the window.cipher property appear 
to be tailored pretty specifically for your "addressbook" use case..

   https://wiki.mozilla.org/Privacy/Features/mozCipherAddressbook

..which itself describes an implicit key exchange mechanism.


While that's sorta interesting, there's various use cases that've been 
mentioned in various places that the above proposed API doesn't necessarily 
address..

    Web Sigining in Action
    http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0898.html

    Re: Web Sigining in Action
    http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0953.html

    JS crypto?		(and ensuing thread)
    http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0605.html

    Re: Hash functions	(and ensuing thread)
    http://lists.w3.org/Archives/Public/public-webapps/2010OctDec/1041.html


Additionally, key exchange often becomes a tar pit. It'd be great if there were 
functionality in such a JS-accessible API so that one could leverage keying 
material from underlying, e.g. TLS, key exchanges (see RFC 5705, and "keying 
material exporter" column in 
<https://secure.wikimedia.org/wikipedia/en/wiki/Comparison_of_TLS_Implementations#Extensions>; 
also NSS'
SSL_PeerCertificate() with which one can get the peer's cert and thus public 
key), rather than invent new ones.

HTH,

=JeffH

Received on Friday, 20 May 2011 13:36:52 UTC