23498 2013-10-14 19:47:57 +0000 Should the nonce, IV, and associated data be separated? 2014-01-24 23:53:40 +0000 1 1 1 Unclassified Web Cryptography Web Cryptography API Document unspecified PC Linux RESOLVED WONTFIX P2 normal --- 1 hhalpin sleevi ap watsonm oldest_to_newest 94687 0 hhalpin 2013-10-14 19:47:57 +0000 The API should be suggestive of the right use. The encrypt interface seems to be missing some key parameters. For symmetric encryption I would suggest expanding it to Promise<any> encrypt(AlgorithmIdentifier algorithm, Key key, Nonce nonce, sequence<CryptoOperationData> associatedData); sequence<CryptoOperationData> cleartextData); As is, the Nonce and associatedData arguments are missing. As a result, in several modes the IV and associatedData are given as parameters to the algorithms. I worry that this will confuse developers into thinking that the IV and associatedData are set once when the key is initialized and never changed again. But both, especially the nonce, will need to be different for every message. At least if it is being passed in it would suggest to the developer that the nonce would be changed. Similarly, AES-GCM decrypt will need to take as input the ciphertext *and* associatedData. Would associatedData always be given as an algorithm parameter? (Dan Boneh) at least if it is being passed in it would suggest to the developer that the nonce would be changed. http://lists.w3.org/Archives/Public/public-webcrypto/2013Sep/0055.html Related Actions Items: 99057 1 watsonm 2014-01-24 23:53:40 +0000 There was no response to Ryan's comments on the list: http://lists.w3.org/Archives/Public/public-webcrypto/2013Oct/0022.html