=JeffH | 3 Jun 18:23 2011

Re: status on call for JavaScript (JS) Crypto Support (was: Paper for W3C Identity in the Browser Workshop)


The paper that Sean, Stephen, & PeterSA wrote that was discussed here at the 
end of april, is published here..

   The Need for a Web Security API

It turns out that at that workshop 
<http://www.w3.org/2011/identity-ws/agenda.html> the need for such crypto 
support was mentioned either directly or or tacitly implied by several of the 
other presenters/authors/participants. So when the workshop was summed up, it 
was among the proposals with the most interest on the part of those present. See..

The W3C Identity in the Browser workshop: Final Report Rough Notes

In fact, there's been work going on from time-to-time wrt  JavaScript (JS) 
"native" crypto APIs, and David Dahl (Mozilla) has been working on that of 
late, and has a prototype.

He recently posted the below message to several lists, but the main discussion 
appears to be occurring on the public-webapps <at> w3.org list. Here's the root of 
the thread..

Request for feedback: DOMCrypt API proposal

Also, fyi/fwiw, there's been recent discussion on this topic on the WhatWG 
(i.e. HTML) list..

   [whatwg] window.cipher HTML crypto API draft spec

(there's also on-and-off crypto api discussions on that list predating the 
above, e.g. in Feb-2011)



Subject: Request for feedback: DOMCrypt API proposal
From: David Dahl <ddahl <at> mozilla.com>
Date: Wed, 1 Jun 2011 15:54:47 -0700 (PDT)
To: public-webapps <at> w3.org

Hello public-webapps members,

(I wanted to post this proposed draft spec for the DOMCrypt API ( 
https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest ) to this list 
- if there is a more fitting mailing list, please let me know)

I recently posted this draft spec for a crypto API for browsers to the whatwg 
(see: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031741.html) 
and wanted to get feedback from W3C as well.

Privacy and user control on the web is of utter importance. Tracking, 
unauthorized user data aggregation and personal information breaches are 
becoming so commonplace you see a new headline almost daily. (It seems).

We need crypto APIs in browsers to allow developers to create more secure 
communications tools and web applications that don’t have to implicitly trust 
the server, among other use cases.

The DOMCrypt API is a good start, and more feedback and discussion will really 
help round out how all of this should work – as well as how it can work in any 
browser that will support such an API.

This API will provide each web browser window with a ‘cipher’ property[1] that 

     asymmetric encryption key pair generation
     public key encryption
     public key decryption
     symmetric encryption
     signature generation
     signature verification
     easy public key discovery via meta tags or an ‘addressbookentry’ tag

[1] There is a bit of discussion around adding this API to window.navigator or 
consolidation within window.crypto

I have created a Firefox extension that implements most of the above, and am 
working on an experimental patch that integrates this API into Firefox.

The project originated in an extension I wrote, the home page is here: 

The source code for the extension is here: https://github.com/daviddahl/domcrypt

The Mozilla bugs are here:


Firefox "feature wiki page": https://wiki.mozilla.org/Privacy/Features/DOMCryptAPI

You can test the API by installing the extension hosted at domcrypt.org, and 
going to http://domcrypt.org

A recent blog post updating all of this is posted here: 

The API:

window.cipher = {
  // Public Key API
  pk: {
    set algorithm(algorithm){ },
    get algorithm(){ },

   // Generate a keypair and then execute the callback function
   generateKeypair: function ( function callback( aPublicKey ) { } ) {  },

   // encrypt a plainText
   encrypt: function ( plainText, function callback (cipherMessageObject) ) { 
} ) {  },

   // decrypt a cipherMessage
   decrypt: function ( cipherMessageObject, function callback ( plainText ) { } 
) {  },

   // sign a message
   sign: function ( plainText, function callback ( signature ) { } ) {  },

   // verify a signature
   verify: function ( signature, plainText, function callback ( boolean ) { } ) 
{  },

   // get the JSON cipherAddressbook
   get addressbook() {},

   // make changes to the addressbook
   saveAddressbook: function (JSONObject, function callback ( addresssbook ) { 
}) {  }

   // Symmetric Crypto API
   sym: {
   get algorithm(),
   set algorithm(algorithm),

   // create a new symmetric key
   generateKey: function (function callback ( key ){ }) {  },

   // encrypt some data
   encrypt: function (plainText, key, function callback( cipherText ){ }) {  },

   // decrypt some data
   decrypt: function (cipherText, key, function callback( plainText ) { }) {  },

   // hashing
   hash: {
     SHA256: function (function callback (hash){}) {  }

Your feedback and criticism will be invaluable.

Best regards,

David Dahl

Firefox Engineer, Mozilla Corp.