For the uninitiated, DOMCrypt is a browser window API I have been working on that makes using public key and symmetric crypto as well as hashing easy and fast for web developers. The current implementation is a Firefox add-on as well as a patch for Firefox.
Secondly, I have created a proper WebIDL document to describe the API: https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest#Browser_Window_property_WebIDL
The mailing list archives for the 3 lists I requested feedback and criticism from are here:
- WHATWG: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-May/031741.html
- W3C: http://lists.w3.org/Archives/Public/public-web-security/2011Jun/0000.html
- es-discuss: https://mail.mozilla.org/pipermail/es-discuss/2011-June/014892.html
The consensus seems to be that this is a good idea – and a good place to start for a *high-level* browser-based crypto API. Some of the changes that should be made are:
- Fold this API into the existing window.crypto property to avoid confusion
- Removed the ‘addressbook’ sub-API as it adds too much undefined complexity (for now, anyway – I hope to revisit this concept in a separate spec)
- Add an algorithm property to each sub-API to allow for forward migration to better, faster crypto
- Add an HMAC sub-API to round out the API
All of this has been reflected in the spec.
I have attempted to aggregate most of the discussion into this etherpad (may need some updating): http://etherpad.mozilla.com:9000/DOMCrypt-discussion
As far as the Gecko implementation is concerned, Brian Smith has been giving me a lot of pointers on what will be a better implementation, starting with a new set of APIs to more easily handle the interfacing with NSS, see bug 662674
I would love to collect more feedback on this API, please do not hesitate to join in on the discussion.
It seems like the time is right for this to gain steam as we see the effect of not having these tools – in what seems like daily personal data breaches on the web. I think an API like DOMCrypt will help spur new communications tools that have security, privacy and user control built in from the ground up.