HTML5-compliant cloud services?
NSA-compliant cloud services more like.
Lovely idea though.
Well that'll be proprietary, patent encumbered and only work with WinDOZE H8TE - fuck you M$!
There. I said it for you, you can all go home now.
The well-known psychological trick of PREEMPTEADONIZATION to prematurely shut down discussion won't work here, running redmondian dog lackey!
I think it's the juxtaposition with the capitals above it, but I keep parsing that as "redmondian turkey dog lackey", which is kind of cool, in a Monty Python Taunting way.
But I would have upvoted anyway (and did).
"There. I said it for you, you can all go home now."
Here, have an Up Vote for the effort you Windoze fanboi...
"and MS notes that this library will probably be replaced in future versions."
Obvious problem there - even if they don't quietly slip the NSA back-doored version in later, who is going to believe them that they won't? (Or won't have their arms twisted to do so.)
Try reading it.
And once it's finished it can be signed with the check sum in a public location so it's easy to verify.
Which you can look at because you're downloading it and verify for yourself.
The back-end systems are a different matter, of course, but this bit literally cannot be other than legit without everyone knowing about it inside about a day.
You know, I don't really like MS very much. Not much at all, in fact. The only thing they do for me is (indirectly) keep me in work. If they went bust I'd still have work, albeit using different tools but for now they keep me in work. No, I do not work for them. I really am not all that keen on any giant multinational money machine, to be honest. None of them are my friend and none of them want to be.
I am aware that here on the Register, it can seem that I am pro-Microsoft. I am not. It only looks that way because the commentards here are so anti-Microsoft that they are, in large numbers, utterly irrational on the subject. It's an odd situation. To autoGodwinize, it's a bit like accusing Oskar Schindler of being an Elder of Zion instead of just anti-murder.
Is anyone else amused by the idea of cryptographic algorithms implemented in a language without a true integer type?
I think it's kind of adorable.
I think that green writing on a black blog background is kind of cute and adorable, but that doesn't make it right.
The way that integers/numbers work in JS is down to the IEEE spec for floating point numbers - don't blame the language for THAT.
I think that Jamie Zawinski can get away with doing his blog in b1ff if he so chooses, and he will still have more credibility than the average Reg commentard when it comes to complaining about ECMA stupidity.
Could be worse. Have you ever tried working in a language that uses integers as bools because it doesn't have real bools?
That's one of many insane problems with it (it also lacks real arrays for instance). Rumor amongst the community is that the guy who created the language did so in one all-nighter while drunk. It's not a hard rumor to believe. I suspect it would die a very quick death were there any other alternative in the environment where it's used.
In fairness, some of the best code I've ever written I did while drunk.
then don't write in it. Those of us who do use it can actually get quite attached to it's almost psychopathic casting and crazy function scope. Going back to a strongly typed language with real arrays is a step backwards in a lot of ways. You mean I can't just push and pop things off that array? I have to check that string for being nothing and for being empty? Tedious. Or just different, ymmv.
"MS notes that most of [...] is supported, with the exception of “promises”. "
MS promises not supported... So standard MS SOP then....
Apologies, couldn't resist.
Isn't that like a Ford Pinto on a race track?
You mean like this one?
Client side crypto - what could go wrong!?
Point being - the crypto itself can be harder than a coffin nail but that counts for nothing if the environment the code is running in can't be trusted? Or is the idea that I'd be running this through Node.Js or something?
Re: Client side crypto - what could go wrong!?
That's not a description of an attack scenario; it's a vague handwave in the direction of one. You might as well ask "what's to stop me from preventing the user from encrypting sensitive data?". We don't know, because you haven't described the application.
The point of the WebCrypto API is to provide a standard way for a user agent ("browser") to encrypt, and apply other cryptographic primitives (digest, signature, pad, HMAC, etc) to select pieces of data. Then it might send the results of such an operation to a server, or it might not; and it might apply those operations to data received from a server.
Re: Client side crypto - what could go wrong!?
It seems I'm not making myself clear as you have over generalized what I'm saying. I'm not providing a critique - I'm asking for genuine opinions on why I would want to do my cryptography in an untrusted environment.
The last reading I did on the subject was this document which makes some very valid points and explains the issue better than I did above:
So - I'm asking out of genuine interest - does WebCrypto advance us further from where we were when this document was written?