W3C home > Mailing lists > Public > public-webcrypto@w3.org > June 2013

Comments on unwrap method

From: Hutchinson Michael <Michael.Hutchinson@gemalto.com>
Date: Tue, 18 Jun 2013 00:10:19 +0200
To: Ryan Sleevi <sleevi@google.com>
CC: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <AA393B9CFBFD084C9700F56093098004016809D6D0EB@CROEXCFWP03.gemalto.com>
Ryan,

14.2.10. The wrapKey method

7 If Key.extractable is not true, terminate this algorithm with an error.

need "Key" to be lower case "key"

7 If key.extractable is not true, terminate this algorithm with an error.


14.2.11. The unwrapKey method

8 If Key.extractable is not true, terminate this algorithm with an error.

This does not make sense as Key has no association here; maybe a copy and paste from 14.2.10 7?

Should it not be

8 If unwrappingKey.extractable is true, terminate this algorithm with an error.


Also, should there be some security checking for the unwrap key, such as:

If unwrappingKey.keyUsage contains the "decrypt" KeyUsage, terminate this algorithm with an error.

or would that be a function of the high level API? :-)


Also, I note that many of the methods do not contain the test for their own key usage.
e.g. decrypt does not contain

If key.keyUsage does not contain the "decrypt" KeyUsage, terminate this algorithm with an error.


Of course, as Unwrap is effectively a high level API (it makes use of decrypt) inclusion of both the security check and the key usage self test would block the Unwrap from using the decrypt implementation directly. :-(

>Michael
Received on Monday, 17 June 2013 22:10:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:17 UTC