A Working Group

2011/11/04 — 2 Comments

This week I attended the W3C annual meeting known as “TPAC” in Santa Clara. I went to discuss the possible formation of a “Web Identity Working Group” to begin the process of possibly standardizing Identity APIs and protocols, of which DOMCrypt was acting as a straw man proposal for a DOM/JS Crypto API.

The short story is that “Web Identity” APIs and protocols are still very much in an R&D phase and while incredibly important, there was not much agreement between interested parties on what to begin working on.

A high-level, hard-to-muck-up, asynchronous crypto API, on the other hand, had massive support from almost all of the interested parties involved. In the end, a “Web Cryptography Working Group” is being established, and I have thrown my hat into the ring as an “editor candidate”.

One of the first tasks is to clearly define what is “in scope”, “out of scope” and what features can be considered part of a potential “road map”. The starting point for this API will have to be a bit narrow, with no UI-based features so we can establish core functionality without too much complexity.

The current charter is here: http://www.w3.org/wiki/IdentityCharter#Web_Cryptography_Working_Group_Charter (I have a feeling this url will change soon)

This is pretty exciting stuff. I met with a whole lot of folks from Microsoft, Google, Apple, Netflix and other companies that have many potential use cases. We need to collect as many use cases as possible in order to understand the most common uses so the first iteration will provide the best capabilities. If you have a use case in mind, do not hesitate to send it to me (ddahl + at + mozilla dot com) or the w3 mailing list, public-webcrypto@w3.org (which is yet to be set up).

2 responses to A Working Group


    I’ve read a few pieces about your work on DOM Crypto, but so far I haven’t really managed to work out what kind of use cases it’s aimed at. The charter provides some more information, and I get the impression one of the use cases would be to secure AJAX requests within sites like Facebook which might contain personal information. Is that on the right track?

    A more far fetched possibility is protecting video streams. I know sites like Youtube won’t fully be able to switch away from Flash until they can protect content being passed to users. Would WebCrypto be something to work towards that goal or am I barking up completely the wrong tree?


      The use cases are varied: messaging, code signing, device identity (imagine a blue-ray player that has an embedded webkit browser in it), digital signatures. I began working on DOMCrypt out of a concern for user control. Most messaging has moved to the web. The messages that we send to each other via web apps are nearly always shared with a 3rd party. There needs to be a way to do messaging via the web where the message content is only known to those who are addressed. This use case alone is justification for a standard API. We need to find ways to increase privacy, as we all know this is becoming a rare thing in our modern, digital lives. That being said, there are so many other user cases and general utility to be had with this API.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s