3 Jun 2011 18:23
Re: status on call for JavaScript (JS) Crypto Support (was: Paper for W3C Identity in the Browser Workshop)
=JeffH <Jeff.Hodges <at> KingsMountain.com>
2011-06-03 16:23:38 GMT
2011-06-03 16:23:38 GMT
Hi, The paper that Sean, Stephen, & PeterSA wrote that was discussed here at the end of april, is published here.. The Need for a Web Security API <http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_28.pdf> slides: <http://www.w3.org/2011/identity-ws/slides/HodgesFarrellTurnerStAndre.pdf> It turns out that at that workshop <http://www.w3.org/2011/identity-ws/agenda.html> the need for such crypto support was mentioned either directly or or tacitly implied by several of the other presenters/authors/participants. So when the workshop was summed up, it was among the proposals with the most interest on the part of those present. See.. The W3C Identity in the Browser workshop: Final Report Rough Notes <http://www.w3.org/2005/Incubator/socialweb/wiki/IdentityBrowser#Final_Report_Rough_Notes> In fact, there's been work going on from time-to-time wrt JavaScript (JS) "native" crypto APIs, and David Dahl (Mozilla) has been working on that of late, and has a prototype. He recently posted the below message to several lists, but the main discussion appears to be occurring on the public-webapps <at> w3.org list. Here's the root of the thread.. Request for feedback: DOMCrypt API proposal http://lists.w3.org/Archives/Public/public-webapps/2011AprJun/0795.html Also, fyi/fwiw, there's been recent discussion on this topic on the WhatWG (i.e. HTML) list.. [whatwg] window.cipher HTML crypto API draft spec http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2011-May/031741.html (there's also on-and-off crypto api discussions on that list predating the above, e.g. in Feb-2011) HTH, =JeffH --- Subject: Request for feedback: DOMCrypt API proposal From: David Dahl <ddahl <at> mozilla.com> Date: Wed, 1 Jun 2011 15:54:47 -0700 (PDT) To: public-webapps <at> w3.org (text/plain) Hello public-webapps members, (I wanted to post this proposed draft spec for the DOMCrypt API ( https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest ) to this list - if there is a more fitting mailing list, please let me know) I recently posted this draft spec for a crypto API for browsers to the whatwg (see: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031741.html) and wanted to get feedback from W3C as well. Privacy and user control on the web is of utter importance. Tracking, unauthorized user data aggregation and personal information breaches are becoming so commonplace you see a new headline almost daily. (It seems). We need crypto APIs in browsers to allow developers to create more secure communications tools and web applications that don’t have to implicitly trust the server, among other use cases. The DOMCrypt API is a good start, and more feedback and discussion will really help round out how all of this should work – as well as how it can work in any browser that will support such an API. This API will provide each web browser window with a ‘cipher’ property[1] that facilitates: asymmetric encryption key pair generation public key encryption public key decryption symmetric encryption signature generation signature verification hashing easy public key discovery via meta tags or an ‘addressbookentry’ tag [1] There is a bit of discussion around adding this API to window.navigator or consolidation within window.crypto I have created a Firefox extension that implements most of the above, and am working on an experimental patch that integrates this API into Firefox. The project originated in an extension I wrote, the home page is here: http://domcrypt.org The source code for the extension is here: https://github.com/daviddahl/domcrypt The Mozilla bugs are here: https://bugzilla.mozilla.org/show_bug.cgi?id=649154 https://bugzilla.mozilla.org/show_bug.cgi?id=657432 Firefox "feature wiki page": https://wiki.mozilla.org/Privacy/Features/DOMCryptAPI You can test the API by installing the extension hosted at domcrypt.org, and going to http://domcrypt.org A recent blog post updating all of this is posted here: http://monocleglobe..wordpress.com/2011/06/01/domcrypt-update-2011-06-01/ The API: window.cipher = { // Public Key API pk: { set algorithm(algorithm){ }, get algorithm(){ }, // Generate a keypair and then execute the callback function generateKeypair: function ( function callback( aPublicKey ) { } ) { }, // encrypt a plainText encrypt: function ( plainText, function callback (cipherMessageObject) ) { } ) { }, // decrypt a cipherMessage decrypt: function ( cipherMessageObject, function callback ( plainText ) { } ) { }, // sign a message sign: function ( plainText, function callback ( signature ) { } ) { }, // verify a signature verify: function ( signature, plainText, function callback ( boolean ) { } ) { }, // get the JSON cipherAddressbook get addressbook() {}, // make changes to the addressbook saveAddressbook: function (JSONObject, function callback ( addresssbook ) { }) { } }, // Symmetric Crypto API sym: { get algorithm(), set algorithm(algorithm), // create a new symmetric key generateKey: function (function callback ( key ){ }) { }, // encrypt some data encrypt: function (plainText, key, function callback( cipherText ){ }) { }, // decrypt some data decrypt: function (cipherText, key, function callback( plainText ) { }) { }, }, // hashing hash: { SHA256: function (function callback (hash){}) { } } } Your feedback and criticism will be invaluable. Best regards, David Dahl Firefox Engineer, Mozilla Corp. --- end
RSS Feed