Re: Additional use cases from Arun Ranganathan on 2013-05-07 (public-webcrypto@w3.org from May 2013)

From: Arun Ranganathan <arun@mozilla.com>
Date: Tue, 7 May 2013 14:10:19 -0400
To: Lu HongQian Karen <karen.lu@gemalto.com>
Cc: "public-webcrypto@w3.org Working Group" <public-webcrypto@w3.org>
Message-Id: <349BFE67-E6BA-430D-8058-6B14526ED565@mozilla.com>

Hi Karen :)

On May 6, 2013, at 12:38 PM, Lu HongQian Karen wrote:

> Hi Arun,
>  
> Here are the two use cases that I have talked about at the recent F2F meeting.
>  
> Cross-origin use cases:

I'm strongly in favor of capturing a cross-origin use case that leverages the existing web technology stack and the Web Crypto API.  The way I envision this is having a credible multi-origin use case make use of cross-origin messaging (postMessage) and the fact of Structured Clonability to perform a cryptographic operation in one origin under the aegis of the origin that has generated the keys.

>  
> 1.  Asymmetric key use case: A healthcare association (origin 1) issued Dr. Smith an X.509 certificate and the corresponding private key. Dr. Smith accesses an e-prescription service (origin 2) and uses her private key to sign e-prescriptions.

This would be a good use case for my claim above, modulo a few things:

1. The X.509 certificate you mention can be stored in IndexedDB within origin 1, and can be represented in JSON.
2. The key can be shared with origin 2 via cross-origin messaging.

Do you envision things like this?

> 2.  Secret key use case: Danny signed up at a cloud storage (origin 1) that created him a secret access key and persisted it through Danny’s UA. Danny stores his 3D model data in the cloud storage. He then uses an online 3D printing service (origin 2) to print his model. To access Danny’s model in Origin 1, Origin 2 needs to use Danny’s secret key. Danny tells Origin 2 certain attribute(s) of his key. The Origin 2 finds the key object through the UA and uses the key to sign API requests for getting the model from cloud storage.

This use case is also credible, but I'm not sure why it's necessary for Danny to "tell Origin 2 certain attribute(s) of his key."  Do you mean, the key here is exportable?  Do you think that cross-origin messaging alone is insufficient here?

>  
> Although these two use cases are out of the current WG scope. It’ll be good to collect them for future work.

Interestingly enough, I think we should put these use cases in scope of this WG, *unless* you think cross-origin messaging is insufficient to carry them out :)

-- A*

Received on Tuesday, 7 May 2013 18:10:48 UTC