Re: origin bound key generation from Seetharama Rao Durbha on 2012-08-22 (public-webcrypto@w3.org from August 2012)

From: Seetharama Rao Durbha <S.Durbha@cablelabs.com>
Date: Wed, 22 Aug 2012 09:30:18 -0600
To: Ryan Sleevi <sleevi@google.com>, Mountie Lee <mountie.lee@mw2.or.kr>
CC: Web Cryptography Working Group <public-webcrypto@w3.org>
Message-ID: <CC5A55FC.55DA%s.durbha@cablelabs.com>

On 8/21/12 7:33 PM, "Ryan Sleevi" <sleevi@google.com<mailto:sleevi@google.com>> wrote:

>>I've been trying to find a way to propose text that balances these
>>concerns, but to be honest, I don't have a good solution. Part of this
>>is what lead to the proposal of requiring CSP, since this can mitigate
>>(some of) the security concerns, but I think there's still a lot of
>>security risks that have to be talked through and discussed before we
>>go too far.

Ryan,
>From my notes at the F2F, we had attributes of type scope (including access control and temporary/permanent). These were supposed to be set at the time of creation and read-only after that. Access control attribute was meant to allow the origin to specify which sites can access/use this key (may be we need granularity of purpose too).
I have not been following the conversations much lately, but I do not see the access control attribute in the draft (temporary is there). Has it been dropped because of some reason?

Thanks,
Seetharama

Received on Wednesday, 22 August 2012 15:30:49 UTC