[whatwg] window.cipher HTML crypto API draft spec from David Dahl on 2011-05-20 (public-whatwg-archive@w3.org from May 2011)

From: David Dahl <ddahl@mozilla.com>
Date: Fri, 20 May 2011 14:16:30 -0700 (PDT)
Message-ID: <360366977.177952.1305926190585.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>

----- Original Message -----
From: "=JeffH" <Jeff.Hodges@KingsMountain.com>
To: whatwg at lists.whatwg.org

 >> I have created a Firefox extension that implements all of the above, and am
 >> working on an experimental patch that integrates this API into Firefox.

> A subtle-but-important aspect to note about the above is that you impl'd it via 
  interfacing to the in-browser NSS API rather than (re)coding it in JS.

Yes, that is the case, I am using NSS. I imagine other browser vendors would also use NSS to implement this.

 >> The draft spec is here:
 >> https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest

> It's an interesting start, but the methods of the window.cipher property appear 
  to be tailored pretty specifically for your "addressbook" use case..

 >>  https://wiki.mozilla.org/Privacy/Features/mozCipherAddressbook

> ..which itself describes an implicit key exchange mechanism.
Indeed it does. the first use case I have in mind is pseudo-anonymous communication via social networking. Hence the namespacing in the API. Other use cases I have not tackled yet are symmetric encryption via a variety of algos, etc...

> While that's sorta interesting, there's various use cases that've been 
  mentioned in various places that the above proposed API doesn't necessarily 
  address..

>   Web Sigining in Action
    http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0898.html

>   Re: Web Sigining in Action
    http://lists.w3.org/Archives/Public/public-webapps/2009JanMar/0953.html

>   JS crypto?		(and ensuing thread)
    http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0605.html

>   Re: Hash functions	(and ensuing thread)
    http://lists.w3.org/Archives/Public/public-webapps/2010OctDec/1041.html

I will have to read these threads and get back to you. I am familiar with some of them.


> Additionally, key exchange often becomes a tar pit. It'd be great if there were 
  functionality in such a JS-accessible API so that one could leverage keying 
  material from underlying, e.g. TLS, key exchanges (see RFC 5705, and "keying 
  material exporter" column in 
  <https://secure.wikimedia.org/wikipedia/en/wiki/Comparison_of_TLS_Implementations#Extensions>; 
  also NSS'
  SSL_PeerCertificate() with which one can get the peer's cert and thus public 
  key), rather than invent new ones.

I am definitely not trying to tackle the great "key exchange" solution. I was thinking about how, on the most basic level you could simply publish your "addressbook entry" for others to collect. A meta tag came to mind as something quite simple - the browser just needs a way to prompt the user and save the data as JSON. 

Thank you for the feedback, you have provided me with a lot of weekend reading.

Regards,

David

Received on Friday, 20 May 2011 14:16:30 UTC