This spec is also incredibly vague: https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest
There's no description of what these functions do. There's no way this spec can be used to create a second interoperable implementation. Adam On Thu, Jun 2, 2011 at 4:19 PM, Adam Barth <[email protected]> wrote: > Why only SHA256? Presumably sha1 and md5 are worth exposing as well. > Also, pk and sym appear to be algorithm agonistic but hash isn't. In > addition to hashing, it would be valuable to expose HMAC modes of the > hash functions. > > In the pk API, there doesn't seem to be any way to install a > public/private keypair from another location (e.g., the network). > Also, the encrypt and decrypt functions don't let me specify which > public key I want to use. Consider introducing a keyID concept to let > me refer to keypairs. > > What is a cipherAddressbook ? > > When I use generateKeypair, how long dose the keypair persist? Is are > their privacy implications? > > Finally, this all should be on the crypto object, not on a new cipher object. > > Adam > > > On Wed, Jun 1, 2011 at 3:54 PM, David Dahl <[email protected]> wrote: >> Hello public-webapps members, >> >> (I wanted to post this proposed draft spec for the DOMCrypt API ( >> https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest ) to this >> list - if there is a more fitting mailing list, please let me know) >> >> I recently posted this draft spec for a crypto API for browsers to the >> whatwg (see: >> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031741.html) >> and wanted to get feedback from W3C as well. >> >> Privacy and user control on the web is of utter importance. Tracking, >> unauthorized user data aggregation and personal information breaches are >> becoming so commonplace you see a new headline almost daily. (It seems). >> >> We need crypto APIs in browsers to allow developers to create more secure >> communications tools and web applications that don’t have to implicitly >> trust the server, among other use cases. >> >> The DOMCrypt API is a good start, and more feedback and discussion will >> really help round out how all of this should work – as well as how it can >> work in any browser that will support such an API. >> >> This API will provide each web browser window with a ‘cipher’ property[1] >> that facilitates: >> >> asymmetric encryption key pair generation >> public key encryption >> public key decryption >> symmetric encryption >> signature generation >> signature verification >> hashing >> easy public key discovery via meta tags or an ‘addressbookentry’ tag >> >> [1] There is a bit of discussion around adding this API to window.navigator >> or consolidation within window.crypto >> >> I have created a Firefox extension that implements most of the above, and am >> working on an experimental patch that integrates this API into Firefox. >> >> The project originated in an extension I wrote, the home page is here: >> http://domcrypt.org >> >> The source code for the extension is here: >> https://github.com/daviddahl/domcrypt >> >> The Mozilla bugs are here: >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=649154 >> https://bugzilla.mozilla.org/show_bug.cgi?id=657432 >> >> Firefox "feature wiki page": >> https://wiki.mozilla.org/Privacy/Features/DOMCryptAPI >> >> You can test the API by installing the extension hosted at domcrypt.org, and >> going to http://domcrypt.org >> >> A recent blog post updating all of this is posted here: >> http://monocleglobe..wordpress.com/2011/06/01/domcrypt-update-2011-06-01/ >> >> The API: >> >> window.cipher = { >> // Public Key API >> pk: { >> set algorithm(algorithm){ }, >> get algorithm(){ }, >> >> // Generate a keypair and then execute the callback function >> generateKeypair: function ( function callback( aPublicKey ) { } ) { }, >> >> // encrypt a plainText >> encrypt: function ( plainText, function callback (cipherMessageObject) ) { >> } ) { }, >> >> // decrypt a cipherMessage >> decrypt: function ( cipherMessageObject, function callback ( plainText ) { >> } ) { }, >> >> // sign a message >> sign: function ( plainText, function callback ( signature ) { } ) { }, >> >> // verify a signature >> verify: function ( signature, plainText, function callback ( boolean ) { } >> ) { }, >> >> // get the JSON cipherAddressbook >> get addressbook() {}, >> >> // make changes to the addressbook >> saveAddressbook: function (JSONObject, function callback ( addresssbook ) { >> }) { } >> }, >> >> // Symmetric Crypto API >> sym: { >> get algorithm(), >> set algorithm(algorithm), >> >> // create a new symmetric key >> generateKey: function (function callback ( key ){ }) { }, >> >> // encrypt some data >> encrypt: function (plainText, key, function callback( cipherText ){ }) { }, >> >> // decrypt some data >> decrypt: function (cipherText, key, function callback( plainText ) { }) { >> }, >> }, >> >> // hashing >> hash: { >> SHA256: function (function callback (hash){}) { } >> } >> } >> >> Your feedback and criticism will be invaluable. >> >> Best regards, >> >> David Dahl >> >> Firefox Engineer, Mozilla Corp. >> >> >> >
