Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] WebCrypto API last call

Tony Arcieri bascule at
Wed May 14 22:42:49 PDT 2014

I've posted my thoughts about WebCrypto here, FWIW:

On Wed, May 14, 2014 at 10:26 PM, elijah <elijah at> wrote:

> As a reminder, W3C WebCrypto API [1] is currently in "Last Call Working
> Draft". Speak now or forever hold your peace, as they say. This is going
> to be in the browsers sooner than you think.
> There is a lot to like, and a lot to dislike. Some things to dislike:
> (1) rejection of Curve 25519 as part of the standard.
> (2) "extractable" key insanity
> What is an extractable key? If a private key has the extractable flag
> set [2], then the javascript application will have access to the raw key
> material, presumably to send it to the server and back it up on the
> user's behalf. How convenient. Unless the user has control over whether
> this can be enabled or disabled, extractable keys are basically a giant
> backdoor that reduces the security of WebCrypto's key management to
> nothing much better than what we have now (trust the origin for
> everything).
> If you have comments, follow the directions on [1].
> -elijah
> [1]
> [2]
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list