W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2013

Re: ISSUE-9 [was Re: ISSUE-30: Key import/export?]

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 4 Mar 2013 10:44:43 -0800
Message-ID: <CACvaWvaEGh5G0nbSf_pWu=b44+2zPZuMAzMeB7W_z93dQbOhuQ@mail.gmail.com>
To: Harry Halpin <hhalpin@w3.org>
Cc: Mark Watson <watsonm@netflix.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Mon, Mar 4, 2013 at 10:43 AM, Harry Halpin <hhalpin@w3.org> wrote:
> On 03/04/2013 07:22 PM, Ryan Sleevi wrote:
>>>
>>> To re-iterate, I'm not asking about export/import in terms of the WebIDL
>>> as
>>> currently written.
>>>
>>>   I'm asking about the notion that it is feasible developers may want to
>>> read/write key material outside the browser. In which case, there's a
>>> privacy angle that needs to be addressed.
>>>
>>> I'm pretty sure that's where the worries underlying ISSUE-9 come from,
>>> and
>>> ISSUE-30.
>>
>> We addressed ISSUE-9 - long ago - by saying it would not, beyond what
>> Mark's draft says. This was the entire crux of key discovery.
>
>
> Key Discovery only addresses symmetric pre-provisioned keys last time I
> checked.  We have not formally closed ISSUE-9 or the import or export of
> keys outside of the browser to my extent except in that very limited case.
>
> We can deal with ISSUE-9 and ISSUE-30 by moving them to the Web Discovery
> product. That is not closing them. That is moving the feature to a different
> product.
>
>
>
>>> If we want to say "import/export" is single-session and ephemeral, that's
>>> fine although that eliminates a number of use-cases. When I brought up
>>> the
>>> fact that all keys are ephemeral at the last telecon, it seemed folks in
>>> the
>>> WG were surprised and wanted further discussion.
>>
>> That's what it has said from the beginning. Key import/export has
>> always been separate from key discovery - the latter being potential
>> issues for ISSUE-9/30, but having absolutely nothing to do with the
>> import / export operations as they've ever been written.
>
>
> I'm saying "Key Discovery" is only symmetric keys.

That is not the proposal.

> The issue is still open
> and I don't think has been adequately discussed, but I do sympathize with
> just closing it as many in the WG are not actively paying attention.  People
> need to understand that by closing these, we're limiting ourselves to
> pre-provisioned symmetric keys and ephemeral keys.

No, we are not.

> I understand many in the
> WG are not paying that active attention, so I'm bringing this up.  When most
> people say "import/export" they imagine that it means importing and
> exporting outside the browser as well I imagine.
>
>    cheers,
>        harry
>
Received on Monday, 4 March 2013 18:45:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:15 UTC