Search Mailing List Archives
[liberationtech] WebCrypto API last call
bascule at gmail.com
Wed May 14 22:42:49 PDT 2014
I've posted my thoughts about WebCrypto here, FWIW:
On Wed, May 14, 2014 at 10:26 PM, elijah <elijah at riseup.net> wrote:
> As a reminder, W3C WebCrypto API  is currently in "Last Call Working
> Draft". Speak now or forever hold your peace, as they say. This is going
> to be in the browsers sooner than you think.
> There is a lot to like, and a lot to dislike. Some things to dislike:
> (1) rejection of Curve 25519 as part of the standard.
> (2) "extractable" key insanity
> What is an extractable key? If a private key has the extractable flag
> material, presumably to send it to the server and back it up on the
> user's behalf. How convenient. Unless the user has control over whether
> this can be enabled or disabled, extractable keys are basically a giant
> backdoor that reduces the security of WebCrypto's key management to
> nothing much better than what we have now (trust the origin for
> If you have comments, follow the directions on .
>  http://www.w3.org/TR/WebCryptoAPI/
>  http://www.w3.org/TR/WebCryptoAPI/#dfn-Key-extractable
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech