----- Original Message ----- > From: "Simon Heckmann" <[email protected]> > To: "Adam Barth" <[email protected]> > Cc: "Silvia Pfeiffer" <[email protected]>, "WHATWG Proposals" > <[email protected]>, "David Dahl" > <[email protected]> > Sent: Wednesday, July 27, 2011 4:13:38 AM > Subject: Re: [whatwg] DOMCrypt update: July 14 Meeting Report > I totally agree with you. My code was just an example. I also think it > should be idiot proof. > > However, I think the whole API should be loosly coupled. Requiring the > client to initialize a cryptographic function on the server seems to > tightly linked. This is how we can limit the scope and reduce the attacks that are possible cross-domain. The keypair is usable only with the origin that created it.
> I think it should be possible to decrypt any chunk of > data with the DOMCrypt API as long as I know the algorithm and the > key. But maybe this is out of scope and I am thinking in too universal > concepts? > Perhaps, however, your use cases are not out of the question. We just want to start with a smaller surface, making this API simpler to implement and use. Regards, David
