- From: Ryan Sleevi <sleevi@google.com>
- Date: Fri, 1 Mar 2013 10:28:05 -0800
- To: Mark Watson <watsonm@netflix.com>
- Cc: Nick Van den Bleeken <Nick.Van.den.Bleeken@inventivegroup.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Fri, Mar 1, 2013 at 7:44 AM, Mark Watson <watsonm@netflix.com> wrote: > Hi Nick, > > In WebCrypto, keys are associated with a very specific algorithm, such as > RSAES-PKCS1-v1_5. When you pre-provision named keys for a specific origin, > you should pre-provision their attributes - including this specific > algorithm - as well. > > Now, since the pre-provisioning mechanism is out-of-scope of the > specification, you can implement this however you like. If you want to > expose multiple named keys that - under the covers - are derived from the > same secret keying material then you are free to do that (although I cannot > comment on the wisdom of that from a security perspective). > > I think it is an open issue whether getKeysByName should be able to return > multiple values. At one point the idea was that you could specify wildcard > names. Without wildcards we'd imagined that getKeysByName should return a > single value. This could be another reason to return multiple. > > ...Mark > +1 Using the same keying material with multiple algorithms should be a security non-goal, because it only leads to cryptographic pain. The provisioning of a NamedKey (out of spec) should also include provisioning the associated algorithm.
Received on Friday, 1 March 2013 18:28:33 UTC