Web Crypto

Apr 3, 2014 at 3:33 PM
http://status.modern.ie/ says that Web Crypto is in IE 11.

I just checked.

http://nick.bleeken.eu/demos/web-crypto-samples/hash.html

Works!

Wow.

Both Firefox and Chrome say: "No native Web Crytography API, falling back to polycrypt."
Apr 3, 2014 at 4:39 PM
Notice how the spec it is based on explicitly rejects using client certs with TLS. This matters because one of the goals of Thali is to NOT provide for third party verifiable communications. In other words I don't want every conversation I have with someone to turn into a cryptographically authenticated record that can be used against me for the rest of my life. By using TLS with mutual auth we achieve this goal nicely.

Now, to be fair, the spec does say it will support OTR messaging which achieves the same goal. But now we have to introduce a brand new layer into our apps to support that. What's beautiful about TLS with mutual auth is it 'just works' and our app layer doesn't need to know the details beyond the universal challenges of channel binding. But thankfully channel binding isn't magic. If you look at how we handle the principal object in the TDH you will see that we hook it straight into the SSL channel so it has full knowledge of the stack.

But still, it's already clear that sooner rather than later we will be able to build all of Thali in Javascript. I can't say I'm particularly thrilled about that since I can't stand Javascript but the world doesn't seem to ask me my opinion. :)