----- Original Message ----- > From: "Justin Lebar" <justin.le...@gmail.com> > To: "David Dahl" <dd...@mozilla.com> > Cc: dev-tech-crypto@lists.mozilla.org > Sent: Friday, April 20, 2012 8:38:53 PM > Subject: Re: Feedback on DOMCryptInternalAPI > > Is > > https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest > > a web-facing API? It certainly appears to be; there are demos and > everything. > Yes. I am talking about an internal API that will also be a scriptable interface that supports the eventual 'DOMCrypt'/Web Crypto WebAPI.
> >> > Sure, I don't imagine supporting any other MAC. > >> > >> Never e.g. CMAC? Why not? > > I'll never say never, there is a lot of feedback to gather yet - especially as we hash out the functionality we want. Getting this kind of feedback is good, as it shows use cases I had not considered - for no particular reason. > For the purposes of a web API -- and again, I'm now confused as to > whether any of these APIs are exposed to the web, but I thought they > were -- They will be. The dom-exposed APIs will be a subset of this 'internal' API. > the question isn't whether it's trivial to add CMAC, but > rather whether you want to commit that HMAC is the only MAC you'll > ever want to use on the web. I cannot rule it out, especially not now. It is way to early to rule anything out. > Ah, I thought that this API would handle the hashing for me. That > seems in line with the "it should just work" aspect of the API. For > the same reason, the API doesn't let me choose ECB encryption, and > the > API, I certainly hope, will MAC all encrypted messages and reject > decryption with invalid MACs. > Exactly. This is the kind of thing we want to do for the web-exposed API: no real options and as much safety "built in". The underlying internal API will be quite similar but with more options and configurability. Regards, David -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
