W3C home > Mailing lists > Public > public-webcrypto@w3.org > August 2012

crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API]

From: Web Cryptography Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Mon, 06 Aug 2012 04:46:57 +0000
Message-Id: <E1SyFDV-0000CX-0I@nelson.w3.org>
To: public-webcrypto@w3.org
crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API]

http://www.w3.org/2012/webcrypto/track/issues/16

Raised by: Ryan Sleevi
On product: Web Cryptography API

During the July Face-to-Face, the topic of Key Expiration was raised. However, a solid definition is lacking for what the semantics should be.

Argument for Implementation Semantics:
- Expiration could serve as a quota-management technique. Keys may represent expensive resources, particularly in constrained environments. Therefore, an understanding of how long a key is supposed to live may allow a user agent to remove 'expired' keys over time.

Argument for Application Semantics:
- Expiration should have no specific meaning to the implementation; it is simply provided to the application in an advisory capability to inform the application how a key can/should be used. This is particularly important for implementations that use pre-existing cryptographic APIs, such as OS APIs, as the underlying API may enforce these semantics. An example was given for a keypair where the private key may no longer be able to sign messages after a particular date, but the associated public key may be used to verify existing messages.

Should expiration be handled on a per-application basis in the custom attributes, or is it a global attribute on all Key types that should be managed by the User Agent?
Received on Monday, 6 August 2012 04:46:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 August 2012 04:46:58 GMT