One year ago, discussions about identity and security were crowded in W3C meetings.

Crowded and controversial.

How to bring more security and interoperability in web app ? How to serve use cases such as identity management ? Why not having interoperable features for protecting peer to peer communications ? In case it happens, isn’t it a dream to think that javascript may be secured one day ?

Mozilla was key in those exchanges, driven by their strategy to develop some cryptographic function [1] and roll out their strategy on identity and Persona [2]. But other companies such as Microsoft, Google, Netflix and gemalto – I am with – were also interested to actually move on. After turning the question and gathering contributions, reactions, W3C made his mind and launched a working group with the mission to provide with the developers the basics of cryptography. The charter was defined, the chair was chosen (by chance, me), the W3C team contact assigned (Harry Halpin and Wendy Seltzer) and the group was kicked off in May 2012 [3]. With 19 organizations represented, plus 11 invited experts [4], the working group has been working 4 months on a very regular basis, including summer, investing 20 hours of conference call, 2 days of face to face meeting, and almost 1000 mails exchanged, and the result is here : the Web Crypto AP is now going for First Public Working Draft [5]. The particular dedication of Ryan Sleevi, one of the editor from Google, was key to define this API and offer it to the web developers.

But what is exactly offered there ? Basic tools for generating random, generating key, and performing basic cryptographic operation such as cipher and sign. This will allow any webapp to build its own security policy, in addition to HTTPS usage.

Is it perfect ? No. Of course there is a room for improvements, stories about key transfer, key cloning, key identifiers, access control on the key, need to be elaborated. The working group is already engaged in solving those issues, in addition to analyzing  comments from the industry – which is exactly the purpose the the First Public Working Draft in W3C process. This is a basis, on which the industry concerned with security and interoperability can start discussing with, testing, and argue !

If you feel this javascript API is important, read it ! If you find it awful, say it ! The working group and the chair will be definitely be happy to hear more from you on the public mailing list public-webcrypto-comments@w3.org !

—

[1] DOM Crypto by Mozilla; [2] Persona by Mozilla ; [3] W3C Web Crypto WG wiki  ; [4] Web Crypto WG participants  ; [5] Web Crypto API for comments