Key provenance from Richard Barnes on 2013-10-04 (public-webcrypto@w3.org from October 2013)

From: Richard Barnes <rbarnes@bbn.com>
Date: Fri, 4 Oct 2013 17:03:02 -0400
To: Web Cryptography Working Group <public-webcrypto@w3.org>
Message-Id: <9330DE32-45FC-48B0-B455-ED6C17D4F32B@bbn.com>

Hey all,

I've been thinking about some identity use cases for WebCrypto, and in several cases, it seems useful for someone who looks at a key object to be able to tell if it only exists in that browser instance.  The "extractable" attribute provides part of that, but you still have to know that the key was generated by the host, and not by importKey or unwrapKey.

Proposal:  Add an attribute to the Key interface ("provenance" or "source") that specifies how the key was introduced to the API.  Possible values are "generate" and "import", indicating that the key was generated by the browser or imported by some other JS code, respectively.

It seems like it would be trivial for browsers to set this attribute, and there are no other API changes needed.  And it seems like being able to know this property of keys could lead to some interesting applications.

Cheers,
--Richard

Received on Friday, 4 October 2013 21:03:29 UTC