- From: =JeffH <Jeff.Hodges@KingsMountain.com>
- Date: Mon, 23 May 2011 20:14:36 -0700
David Dahl replied.. > > "Simon Heckmann" <simon at simonheckmann.de> asked.. > >> Why does it only handle asymmetric encryption? Something to >> encrypt/decrypt data with e.g. AES would be nice as well! > > I do need to add a symmetric encryption API as well, my current focus has > been on the exchange of message between web users, but that is only one > facet of the results of this effort. I should look at the big picture a bit > and think about what that API should look like. Various folks have been thinking about the need to leverage platform crypto functions (rather than implementing crypto in "JS libraries") via a standardized API for browser-side web app code such that a swath of use cases is addressed, here's a couple examples of such position statements.. The Need for a Web Security API http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_28.pdf Wanted: Native JS Encryption http://robert.accettura.com/blog/2011/03/03/wanted-native-js-encryption/ https://mail.mozilla.org/pipermail/es-discuss/2011-March/013144.html Some have noted that there ought to be a very high level API built on top of such a substrate that web app developers could use for their more common use cases. Keyczar is one example of such an API <http://www.keyczar.org/>, and cryptlib is another <http://www.cryptlib.com/security-software/programming-code-examples>. Adam Barth replied.. > > David Dahl said.. > >> Yes, that is the case, I am using NSS. I imagine other browser vendors >> would also use NSS to implement this. > > It's very unlikely that Microsoft will use NSS to implement this API in IE. Agreed. We nominally need an API that can be implemented by interfacing with NSS and CAPI (Microsoft Cryptography API) (arguably as well as OpenSSL, GPG, OpenPGP, etc). fyi/fwiw, another thread from earlier this year cross-posted between this list and <es-discuss at mozilla.org> noted that there is some discussion amongst the EcmaScript spec folk about defining an "a real crypto API".. [whatwg] Cryptographically strong random numbers (Mark Miller) <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-February/030452.html> =JeffH
Received on Monday, 23 May 2011 20:14:36 UTC