Re: Web Crypto API(s) and what Mozilla wants / needs

Thu, 14 Feb 2013 10:46:39 -0800 

On 02/14/2013 07:54 AM, David Dahl wrote:

----- Original Message -----

From: "Gervase Markham"<g...@mozilla.org>
To: mozilla-dev-tech-cry...@lists.mozilla.org
Cc: "Eric Rescorla"<e...@mozilla.com>, "Brian Smith"<bsm...@mozilla.com>, "Brendan 
Eich"<bren...@mozilla.com>, "Ben
Adida"<benad...@mozilla.com>, "Brian Warner"<war...@mozilla.com>
Sent: Thursday, February 14, 2013 5:22:41 AM
Subject: Re: Web Crypto API(s) and what Mozilla wants / needs

On 13/02/13 20:55, David Dahl wrote:

The main issue is: What does Mozilla actually need here? What is
Mozilla's official policy or thinking on a crypto API for the DOM?

As you are the Mozillian with most experience in this area, I'd say
that
insofar as we will ever have an official policy, it's likely to be
"what
you think" (after taking the input of others, as you are doing).
Please
feel empowered :-)

Ah, thanks! I am however, not a 'crypto expert' and would like the actual 
experts to weigh in and set the 'policy' (for lack of a better word.) At this 
point in the game, it would seem that FirefoxOS, with it's enhanced security 
model, would benefit greatly from APIs like this. I am hoping that will help in 
garnering the resources to implement and/or develop an engineering schedule for 
this.

-david
Well, I am quite pleased with the approach of providing a limited controllable set of primitives that are easy to use. The encrypt/sign - decrypt/verify using PKI completely sounds like the right first primitive to supply, along with seal/unseal. Key management/key exchange is the hardest part to get right in crypto. Both of these provide the simplest model for managing these things.
I'm sure there are lots of applications where these primitives are insufficient, but enabling a stable set that is easy for the non-crypto person to get right definately sounds like the right way to move forward. (Both of these also has the advantage of allowing you to define API's where algorithm selection can be automatic, meaning the users automatically get new algorithm support without having to change the javascript application. 


bob



Gerv
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to