W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2013

Re: ISSUE-9 [was Re: ISSUE-30: Key import/export?]

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 4 Mar 2013 10:22:23 -0800
Message-ID: <CACvaWvZGi6Yo_Ho-GjSDTgo+KjJFATcuDE7ehp-DouW0zvYQ_Q@mail.gmail.com>
To: Harry Halpin <hhalpin@w3.org>
Cc: Mark Watson <watsonm@netflix.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
>
> To re-iterate, I'm not asking about export/import in terms of the WebIDL as
> currently written.
>
>  I'm asking about the notion that it is feasible developers may want to
> read/write key material outside the browser. In which case, there's a
> privacy angle that needs to be addressed.
>
> I'm pretty sure that's where the worries underlying ISSUE-9 come from, and
> ISSUE-30.

We addressed ISSUE-9 - long ago - by saying it would not, beyond what
Mark's draft says. This was the entire crux of key discovery.

>
> If we want to say "import/export" is single-session and ephemeral, that's
> fine although that eliminates a number of use-cases. When I brought up the
> fact that all keys are ephemeral at the last telecon, it seemed folks in the
> WG were surprised and wanted further discussion.

That's what it has said from the beginning. Key import/export has
always been separate from key discovery - the latter being potential
issues for ISSUE-9/30, but having absolutely nothing to do with the
import / export operations as they've ever been written.
Received on Monday, 4 March 2013 18:22:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:15 UTC