On 10 December 2014 at 18:26, Mark Watson <watsonm@netflix.com> wrote:
>
>
> On Wed, Dec 10, 2014 at 9:18 AM, Domenic Denicola <d@domenic.me> wrote:
>>
>>
>> Nope, web crypto needs a secure transport to make any sense at all. It's
>> a bootstrapping problem. If you're on an insecure channel (whether HTTP or
>> employer-MITMed HTTPS), web crypto provides no guarantees at all.
>>
>
> This is a side issue that we should not rathole on, but the reason the
> WebCrypto Working Group declined to restrict WebCrypto to secure origins
> was that there are some *limited* things that can be obtained with
> WebCrypto even for HTTP sites. For example, confidentiality against passive
> monitoring. The counter-argument is that such things are of no utility, but
> that is a use-case-dependent judgement call, rather than a technical issue.
>
+1
<offtopic>
Web crypto has limited use. I've come to the conclusion that localStorage
+ polyfill will meet needs.
</offtopic>
>
> ...Mark
>
>
>
>