There has been so much written and discussed online and off about privacy, user control and identity lately. This dovetails nicely with the draft spec for DOMCrypt as a proposed Crypto API for web browsers.
See: https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest
DOMCrypt was discussed on the WHATWG mailing list last week, see: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031741.html
I have summarized the discussion here: http://etherpad.mozilla.com:9000/DOMCrypt-discussion
Out of these discussions, I have updated the Firefox feature page: https://wiki.mozilla.org/Privacy/Features/DOMCryptAPI
A Use-cases page was created, see: https://wiki.mozilla.org/Privacy/Features/DOMCryptAPI/UseCases
For anyone unfamiliar with DOMCrypt, this proposal in a nutshell says:
Privacy and user control on the web is of utter importance. Tracking, unauthorized user data aggregation and personal information breaches are becoming so commonplace you see a new headline almost daily. (It seems).
We need crypto APIs in browsers to allow developers to create more secure communications tools and web applications that don’t have to implicitly trust the server.
The DOMCrypt API is a good start, and more feedback and discussion will really help round out how all of this should work – as well as how it can work in any browser that will support such an API.
This API will provide each web browser window with a ‘cipher’ property[1] that facilitates:
- asymmetric encryption key pair generation
- public key encryption
- public key decryption
- symmetric encryption
- signature generation
- signature verification
- hashing
- easy public key discovery via meta tags or an ‘addressbookentry’ tag
[1] There is a bit of discussion around adding this API to window.navigator or consolidation within window.crypto
I have created a Firefox extension that implements most of the above, and am working on an experimental patch that integrates this API into Firefox.
The project originated in an extension I wrote, the home page is here: http://domcrypt.org
The source code for the extension is here: https://github.com/daviddahl/domcrypt
The Mozilla bugs are here:
You can test the API by installing the extension hosted at domcrypt.org and addons.mozilla.org, and going to http://domcrypt.org
The API:
window.cipher = {
// Public Key API
pk: {
set algorithm(algorithm){ },
get algorithm(){ },
// Generate a keypair and then execute the callback function
generateKeypair: function ( function callback( aPublicKey ) { } ) { },
// encrypt a plainText
encrypt: function ( plainText, function callback (cipherMessageObject) ) { } ) { },
// decrypt a cipherMessage
decrypt: function ( cipherMessageObject, function callback ( plainText ) { } ) { },
// sign a message
sign: function ( plainText, function callback ( signature ) { } ) { },
// verify a signature
verify: function ( signature, plainText, function callback ( boolean ) { } ) { },
// get the JSON cipherAddressbook
get addressbook() {},
// make changes to the addressbook
saveAddressbook: function (JSONObject, function callback ( addresssbook ) { }) { }
},
// Symmetric Crypto API
sym: {
get algorithm(),
set algorithm(algorithm),
// create a new symmetric key
generateKey: function (function callback ( key ){ }) { },
// encrypt some data
encrypt: function (plainText, key, function callback( cipherText ){ }) { },
// decrypt some data
decrypt: function (cipherText, key, function callback( plainText ) { }) { },
},
// hashing
hash: {
SHA256: function (function callback (hash){}) { }
}
}
I am in the process of posting this proposed spec for review by the W3C webapps list and TC39. Your feedback and / or help with this effort will be greatly appreciated.