[cryptography] Web Cryptography API (W3C Working Draft 8 January 2013)

Paterson, Kenny Kenny.Paterson at rhul.ac.uk
Sun Mar 10 07:14:46 EDT 2013


On 10 Mar 2013, at 11:01, Ben Laurie wrote:

> On 10 March 2013 10:58, Paterson, Kenny <Kenny.Paterson at rhul.ac.uk> wrote:
>> 
>> 
>> Right here:  http://www.w3.org/TR/WebCryptoAPI:
> 
> Somehow missed that. Thanks.
> 
>> 19.1. Recommended algorithms
>> 
>> This section is non-normative
>> 
>> As the API is meant to be extensible in order to keep up with future
>> developments within cryptography and to provide flexibility, there are no
>> strictly required algorithms. Thus users of this API should check to see
>> what algorithms are currently recommended and supported by implementations.
> 
> So ... despite Ryan's claim that the recommendations are for API
> implementers, it says here that they're also for users of the API.
> 
> In which case, clearly, AE modes should be recommended.

I fully agree. We have already made this point to the WebCrypto folks (see: lists.w3.org/Archives/Public/public-webcrypto/2012Sep/0186.html), but without managing to bring about a shift in their position.

If people want to see how badly things can go wrong when you mix "legacy" (i.e. insecure) and secure algorithms, see, for example this NDSS 2013 paper:

http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/

[Full disclosure: I am an author on the paper.]

Cheers

Kenny







More information about the cryptography mailing list