[whatwg] window.cipher HTML crypto API draft spec

The implementation is secondary in this effort. I think I have nailed down an elegant API that web developers can understand and easily use without shooting themselves and others in the foot.

Regards,

David

----- Original Message -----
From: "=JeffH" <Jeff.Hodges@KingsMountain.com>
To: whatwg at lists.whatwg.org
Sent: Monday, May 23, 2011 10:14:36 PM
Subject: Re: [whatwg] window.cipher HTML crypto API draft spec

David Dahl replied..
 >
 > "Simon Heckmann" <simon at simonheckmann.de> asked..
 >
 >> Why does it only handle asymmetric encryption? Something to
 >> encrypt/decrypt data with e.g. AES would be nice as well!
 >
 > I do need to add a symmetric encryption API as well, my current focus has
 > been on the exchange of message between web users, but that is only one
 > facet of the results of this effort. I should look at the big picture a bit
 > and think about what that API should look like.

Various folks have been thinking about the need to leverage platform crypto
functions (rather than implementing crypto in "JS libraries") via a 
standardized API for browser-side web app code such that a
swath of use cases is addressed, here's a couple examples of such position 
statements..

   The Need for a Web Security API
   http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_28.pdf

   Wanted: Native JS Encryption
   http://robert.accettura.com/blog/2011/03/03/wanted-native-js-encryption/
   https://mail.mozilla.org/pipermail/es-discuss/2011-March/013144.html

Some have noted that there ought to be a very high level API built on top of
such a substrate that web app developers could use for their more common use
cases. Keyczar is one example of such an API <http://www.keyczar.org/>, and 
cryptlib is another 
<http://www.cryptlib.com/security-software/programming-code-examples>.


Adam Barth replied..
 >
 > David Dahl said..
 >
 >> Yes, that is the case, I am using NSS. I imagine other browser vendors
 >> would also use NSS to implement this.
 >
 > It's very unlikely that Microsoft will use NSS to implement this API in IE.

Agreed.  We nominally need an API that can be implemented by interfacing with 
NSS and CAPI (Microsoft Cryptography API) (arguably as well as OpenSSL, GPG, 
OpenPGP, etc).

fyi/fwiw, another thread from earlier this year cross-posted between this list 
and <es-discuss at mozilla.org> noted that there is some discussion amongst the 
EcmaScript spec folk about defining an "a real crypto API"..

   [whatwg] Cryptographically strong random numbers  (Mark Miller)
   <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-February/030452.html>


=JeffH

Received on Monday, 23 May 2011 21:33:06 UTC