[webkit-dev] DOMCrypt

[Adam Barth]

A couple updates to this thread:

1) DOMCrypt seems to be moving along the W3C path.  There isn't a
working group set up yet, but there seems to be sufficient interest
that a W3C activity appears to be spinning up around this effort.

2) Ian Fette met with a number of banks in South Korean and Taiwan,
and they're interested in using this API to replace their current
reliance on ActiveX-based security plug-ins.

I'm sure that many of you are more familiar with the "Korean Bank
problem" than I am, but the main issue is that folks in Korea have
trouble adopting non-IE browsers because their banks use ActiveX
plug-ins to interact with certificates in order to help secure some of
their banking interactions.  One way we'd like to improve the web
platform is to provide the web platform is to provide support for
these use cases.

The exact requirements from the Korean Banks are somewhat involved,
and I'm not entirely sure we've understood them fully yet, so we'd
like to start experimenting with something that seems generally useful
and see whether how well it addresses their needs.  I've added a brief
description of one starting point for this discussion to the Mozilla
wiki on DOMCrypt:

https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest#Possible_Additions

(Note: I haven't discussed this use case with David Dahl yet, so it is
entirely possible this will be cut from DOMCrypt.)

One thing that would be helpful in making progress here would be to
start experimenting with this API in WebKit.  I suspect we'll need to
iterate a number of times on the API in order to make sure we end up
with something that works for these Korean banks.  Having running code
that they can play with would be very useful, especially in light of
the language barrier.

I'd like to re-iterate that we have no intention of enabling this
feature by default until the specification and standards process is
more mature.  Experimenting with this API should have very little
impact on other consumers of WebKit.

Thanks,
Adam


On Wed, Jul 27, 2011 at 10:06 AM, Sam Weinig <weinig at apple.com> wrote:
> I think we should let the spec mature a bit before diving in.
>
> -Sam
>
> On Jul 26, 2011, at 10:53 PM, Adam Barth wrote:
>
>> Hi webkit-dev,
>>
>> As some of you are probably aware, Mozilla is experimenting with
>> exposing some basic cryptographic primitives to web applications:
>>
>> https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest
>>
>> I wanted to get a sense from the WebKit community about how interested
>> we are in implementing this feature.  My sense is that this API is
>> fairly early in it's lifecycle, so one perspective is that we should
>> wait for Mozilla to experiment for a bit longer and revisit this
>> question once the design is further along (e.g., submitted to the W3C
>> standards process).
>>
>> Another perspective is that there are some simple parts of the API
>> that we should implement now, and we can grow into the more involved
>> parts of the API as they mature.  For example, the CryptoHash
>> interface can be implemented independently of the rest of the API and
>> provides value by itself.
>>
>> Thoughts?
>>
>> Adam
>> _______________________________________________
>> webkit-dev mailing list
>> webkit-dev at lists.webkit.org
>> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
>
>