RE: crypto-ISSUE-30 (where is the key ?): How does the application know where the key is stored ? [Web Cryptography API]

Hi Ryan,

I agree with you that Issue-30 needs more elaboration. 

Regarding to keylocation, I was thinking

Enum keyLocation {
  None, // unspecified
  Browser, // browser's storage
  Local, // local storage other than browser's
  CryptoProvider // complexity: a user agent may have more than one cryptoProviders
};


Regards,
Karen

-----Original Message-----
From: Ryan Sleevi [mailto:sleevi@google.com] 
Sent: Tuesday, August 28, 2012 8:11 PM
To: Ali Asad
Cc: Seetharama Rao Durbha; GALINDO Virginie; Lu HongQian Karen; public-webcrypto@w3.org
Subject: Re: crypto-ISSUE-30 (where is the key ?): How does the application know where the key is stored ? [Web Cryptography API]

On Tue, Aug 28, 2012 at 4:28 PM, Ali Asad <Asad.Ali@gemalto.com> wrote:
> To the Editors,
>
>
>
> I suggest that we introduce a new section in Draft API document to 
> indicate future planned work for key query/discovery and how it will 
> handle pre-provisioned keys stored in secure elements. Here is the 
> suggested text for this new section.
>
>
>
>>>>>
>
> 18. KeyDiscoverer Interface
>
>
>
> IDL:
>
> interface KeyDiscoverer : KeyOperation {
>
>       void discover();
>
>       KeyLocation location;
>
> };
>
>
>
> enum KeyLocation {
>
>      // TBD
>
> };
>
>
>
> Editorial note:
>
>
>
> The API for discovery and selection of pre-provisioned keys, for 
> example those residing on secure elements such as smart cards, is not 
> fully specified yet. However, once a key is selected from secure 
> element, the implementing agent will ensure that all subsequent crypto 
> operations are delegated to the secure element that contains this key. 
> Additionally, the application will be informed that the user had 
> selected a key from a secure element.

Hi Asad,

Just a quick note - I think the discussion related to key querying (that is, previously authorized or pre-provisioned) and key discovery (discovery of keys not explicitly granted) is too complex and the needs not well understood enough to support adding this to the draft.

I've made note to highlight ISSUE-30, but I have concern adding this API for FPWD.

In order to better understand what you're proposing here:
1) Can you please provide a sample of what you imagine "KeyLocation" containing.
2) Can you please provide a use case for how an application would use "KeyLocation"
3) Can you please provide an example of how "KeyLocation" may be implemented by all conforming user agents, in a manner that is agnostic to the method of key storage they use?


>
>
>
> ISSUE-30: How does the application know where the key is stored ?
>
>>>>>
>
>
>
> Regards,
>
> --- Asad
>
>
>
>
>
>
>
> From: Ali Asad [mailto:Asad.Ali@gemalto.com]
> Sent: Tuesday, August 28, 2012 10:26 AM
> To: Seetharama Rao Durbha; GALINDO Virginie; Lu HongQian Karen
> Cc: public-webcrypto@w3.org
> Subject: RE: crypto-ISSUE-30 (where is the key ?): How does the 
> application know where the key is stored ? [Web Cryptography API]
>
>
>
> I agree with Seetharama that once we start looking into key query API 
> we can decide how best to incorporate the source information - ether 
> in the query itself, or after the fact, based on user selection. But 
> it is good to keep this issue 30 as a reminder that we have to do this.
>
>
>
> Since there is little time before going to first public draft, we 
> should at least add some text in the draft to indicate that this will 
> be done later. I will write up a description around this today and send to the group.
>
>
>
> Regards,
>
> --- asad
>
>
>
> From: Seetharama Rao Durbha [mailto:S.Durbha@cablelabs.com]
> Sent: Monday, August 27, 2012 5:57 PM
> To: GALINDO Virginie; Lu HongQian Karen; Ali Asad
> Cc: public-webcrypto@w3.org
> Subject: Re: crypto-ISSUE-30 (where is the key ?): How does the 
> application know where the key is stored ? [Web Cryptography API]
>
>
>
> I am not raising another issue for 'query keys belonging to a type of 
> storage' at this point - as there is no key query mechanism at this 
> point. I think I heard Ryan saying that at some point in future we 
> will have to get key query supported in the spec. At that point, we 
> can add type of storage as another query parameter.
>
> Please let me know if my understanding is not correct.
>
>
>
> Thanks,
>
> Seetharama
>
>
>
> On 8/27/12 2:49 PM, "GALINDO Virginie" <Virginie.GALINDO@gemalto.com> wrote:
>
>
>
> Karen, Asad, and all,
>
> As per your request of todays call, I have created an issue about the 
> location of the key. Feel free to amend/comment its description and 
> agree with the editors to make sure it is correctly expressed in the 
> version of our draft API going to the FPWD.
>
> Regards,
>
> Virginie
>
> Gemalto
>
> Chair of the Web Crypto WG
>
>
>
> -----Original Message-----
>
> From: Web Cryptography Working Group Issue Tracker 
> [mailto:sysbot+tracker@w3.org]
>
> Sent: lundi 27 août 2012 22:46
>
> To: public-webcrypto@w3.org
>
> Subject: crypto-ISSUE-30 (where is the key ?): How does the 
> application know where the key is stored ? [Web Cryptography API]
>
>
>
> crypto-ISSUE-30 (where is the key ?): How does the application know 
> where the key is stored ? [Web Cryptography API]
>
>
>
> http://www.w3.org/2012/webcrypto/track/issues/30
>
>
>
> Raised by: Karen Lu
>
> On product: Web Cryptography API
>
>
>
> During our discussion on the 27th of august, the problem related to 
> usage of keys stored in secure element has been discussed. While a 
> previous issue (#11] has been already closed about the definition of a 
> specific attribute for indicating if the key was stored in a specific 
> secure element (or crypto providers), the problem about making sure 
> the application is aware of the key location is still pending. The 
> means for solving this specific problem do not need to rely on a specific attribute.
>
>
>
>
>
>
>
>

Received on Wednesday, 29 August 2012 17:03:23 UTC