Why do so few projects use SJCL? Whenever I see a project like this I always have my fingers crossed that they will be using sjcl but it never pans out.
We evaluated several libraries (all JS crypto libraries we could find actually - there aren't many) and CryptoJS suited our needs the best. Specifically, it includes PBKDF2 and CFB mode for AES which SJCL doesn't have right now.
We have encountered subtle problems with the CryptoJS API, and we plan on giving back and writing a JS crypto library using the lessons we've learned from this project.
I guess I would have to ask what they would be using SJCL on, but I believe that there have been several conceptual issues noted by guys like tptacek to keep from recommending any client-side JS crypto (incl. SJCL) in general.
FYI, our choices for upstream JS crypto libs aren't set in stone. We may ultimately go with SJCL -- we're not fully satisfied with the libs we're using. They need some cleanup in various areas if we do stick with them.
