W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2013

Re: ISSUE-9 [was Re: ISSUE-30: Key import/export?]

From: Ryan Sleevi <sleevi@google.com>
Date: Mon, 4 Mar 2013 10:57:10 -0800
Message-ID: <CACvaWvY9G+hHjwpAZEPBV7Ck=S1J-wituiAo2LrSHx=xced4yQ@mail.gmail.com>
To: Harry Halpin <hhalpin@w3.org>
Cc: Mark Watson <watsonm@netflix.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
On Mon, Mar 4, 2013 at 10:53 AM, Harry Halpin <hhalpin@w3.org> wrote:
> On 03/04/2013 07:44 PM, Ryan Sleevi wrote:
>>
>> On Mon, Mar 4, 2013 at 10:43 AM, Harry Halpin <hhalpin@w3.org> wrote:
>>>
>>> On 03/04/2013 07:22 PM, Ryan Sleevi wrote:
>>>>>
>>>>> To re-iterate, I'm not asking about export/import in terms of the
>>>>> WebIDL
>>>>> as
>>>>> currently written.
>>>>>
>>>>>    I'm asking about the notion that it is feasible developers may want
>>>>> to
>>>>> read/write key material outside the browser. In which case, there's a
>>>>> privacy angle that needs to be addressed.
>>>>>
>>>>> I'm pretty sure that's where the worries underlying ISSUE-9 come from,
>>>>> and
>>>>> ISSUE-30.
>>>>
>>>> We addressed ISSUE-9 - long ago - by saying it would not, beyond what
>>>> Mark's draft says. This was the entire crux of key discovery.
>>>
>>>
>>> Key Discovery only addresses symmetric pre-provisioned keys last time I
>>> checked.  We have not formally closed ISSUE-9 or the import or export of
>>> keys outside of the browser to my extent except in that very limited
>>> case.
>>>
>>> We can deal with ISSUE-9 and ISSUE-30 by moving them to the Web Discovery
>>> product. That is not closing them. That is moving the feature to a
>>> different
>>> product.
>>>
>>>
>>>
>>>>> If we want to say "import/export" is single-session and ephemeral,
>>>>> that's
>>>>> fine although that eliminates a number of use-cases. When I brought up
>>>>> the
>>>>> fact that all keys are ephemeral at the last telecon, it seemed folks
>>>>> in
>>>>> the
>>>>> WG were surprised and wanted further discussion.
>>>>
>>>> That's what it has said from the beginning. Key import/export has
>>>> always been separate from key discovery - the latter being potential
>>>> issues for ISSUE-9/30, but having absolutely nothing to do with the
>>>> import / export operations as they've ever been written.
>>>
>>>
>>> I'm saying "Key Discovery" is only symmetric keys.
>>
>> That is not the proposal.
>
>
> Then where is the WebIDL that deals with import/export into the non-browser
> filesystem?

Harry, what you just said does not make sense.

You said "Key Discovery" is only symmetric keys.

It is not. It can also be used for asymmetric keys.

The fact that there has never been a proposal for import/export,
outside of the same-origin provisions (as highlighted in our charter),
makes me think that you're proposing to introduce something that has
not been introduced.

>
>
>>
>>> The issue is still open
>>> and I don't think has been adequately discussed, but I do sympathize with
>>> just closing it as many in the WG are not actively paying attention.
>>> People
>>> need to understand that by closing these, we're limiting ourselves to
>>> pre-provisioned symmetric keys and ephemeral keys.
>>
>> No, we are not.
>
>
> OK, then how do you handle the import and export of key material outside the
> browser in a case that isn't pre-provisioned symmetic keys.
>
> I don't see anything in either the API or Key Discovery draft. And *if*
> there is something, my privacy concerns hold.

As has been repeatedly stated, there isn't. But what *is* different is
that there is absolutely no restriction to symmetric keys in the
pre-provisioned case. Mark's Key Discovery draft never says
"symmetric" - only pre-provisioned.
Received on Monday, 4 March 2013 18:57:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:15 UTC