Re: Unique identifiers and WebCrypto from Seetharama Rao Durbha on 2012-11-07 (public-webcrypto@w3.org from November 2012)

From: Seetharama Rao Durbha <S.Durbha@cablelabs.com>
Date: Wed, 7 Nov 2012 14:43:33 -0700
To: Mark Watson <watsonm@netflix.com>
CC: "public-web-and-tv@w3.org WG" <public-web-and-tv@w3.org>, "public-webcrypto@w3.org Group" <public-webcrypto@w3.org>
Message-ID: <CCC02200.79D6%s.durbha@cablelabs.com>

On 11/7/12 10:07 AM, "Mark Watson" <watsonm@netflix.com<mailto:watsonm@netflix.com>> wrote:

On Nov 5, 2012, at 2:20 PM, Seetharama Rao Durbha wrote:

Mark
I certainly agree that support for pre-provisioned keys (symmetric/otherwise) is a large-part of the expectations from people interested in delivering content to devices.
However, the user authorization of keys that come embedded in the device (at manufacturing time or delivered through a trusted means – out of scope) should be handled in a user-friendly way. Best case scenario is, the user is NOT asked for permission on such devices (user has no clue what a 'key' is and what this identifier is, and what they are authorizing). Rather the browser can rely on a configuration file present on the device.

Seetharama,

In a W3C context, from a basic privacy principles, users should be aware when a service is able to track their device. We should make it clear in the specification when we include features that could facilitate that (in fact I think it's important that we are very transparent and up-front about that).

We don't, in W3C specifications, define *how* users have made so aware, either for browsers or devices. It is always up to the browser developer, device manufacturer and service to do that in a user-friendly way.

Mark,

Makes sense, but my two cents is that we would good to standardize how a policy on the device could be used by the browser on the device, not a priority though.

When we are talking about pre-provisioned keys on hardware tokens accessed from other platforms, we need to be clear about a chicken-n-egg situation for permissions. The web application cannot ask for a permission to access a key that it does not know exists. So, the browsers need to let the web app know that certain keys exist with the user (though they cannot perform any operation on them). So, the wording around how browsers let the web apps know of the existence of a key should be made clear.

For keys on tokens, like smart-cards, etc. there is indeed a key discovery problem, which we don't yet have a detailed proposal for. There would need to be some way for the web application to ask for a list of keys with certain properties. User permission would be asked for before exposing the list to the application and if user permission is denied this should be indistinguishable from the key not existing (as far as the web application is concerned).

For pre-provisioned origin-specific keys of the type I am most concerned about, we would expect these to have well-known identifiers (at least, well-known to the origin in question) and so the discovery problem is solved that way.
Well, the question is – even if the app provides all necessary indices for a key, and such a key exists – should the browser inform the app that such a key exists? Depending on how easy it is to get to / guess such indices, as pre-existing keys do not have an associated origin, any origin will be able to ask for such keys, and get to know their existence. So, what is the value in hiding keys? Cannot we let all applications know about the existence of yet-to-be-bound / unbound keys?

…Mark

Thanks,
Seetharama

On 11/2/12 8:39 AM, "Mark Watson" <watsonm@netflix.com<mailto:watsonm@netflix.com>> wrote:

Web & TV group,

Earlier in the week we discussed requirements for unique identifiers for devices in the context of premium video services.

Within the WebCrypto group we discussed the idea of pre-provisioned symmetric cryptographic keys and the association of unique identifiers with these keys. This is based on a proposal from Netflix to address our requirements for secure binding of application protocol to devices, particularly on TVs, BluRay Players etc.

The latest proposal for this is available here: http://lists.w3.org/Archives/Public/public-webcrypto/2012Nov/0014.html

One question in the WebCrypto WG discussion was whether there were others who shared this requirement ? Since we discussed this in the Web & TV group I am posing the question to this list. Note that the possibility for UAs to support pre-provisioned keys is agreed in the WebCrypto group. The issue at hand is whether there should be a standard way to expose a unique identifier associated with such keys.

If you have comments or questions on the proposal please send them to the WebCrypto list, particularly if the proposal does or does not meet your requirements (public-webcrypto@w3.org<mailto:public-webcrypto@w3.org> if you are a member or public-webcrypto-comments@w3.org<mailto:public-webcrypto-comments@w3.org> if not). This issue will be decided at the next WebCrypto call on 11/19.

Best regards,

Mark Watson
Netflix

Received on Wednesday, 7 November 2012 21:44:10 UTC