- From: Harry Halpin <hhalpin@w3.org>
- Date: Sun, 07 Dec 2014 12:24:45 +0100
- To: Jason Proctor <jason@mono.hm>, Ryan Sleevi <sleevi@google.com>
- CC: public-webcrypto@w3.org
Jason,
It's good for you to report your experiences, as many developers may
encounter some of the same problem. While the WebCrypto API spec is
basically done, the spec is aimed at implementers more than developers.
We still need to document the API with more examples and explain common
issues developers encounter.
Right now, the best documentation is probably at Microsoft:
http://msdn.microsoft.com/fr-fr/library/ie/dn302338%28v=vs.85%29.aspx
However, W3C would be more than happy to start creating user-centric
documentation at WebPlatformDocs.
Jason (or anyone) would you be interested in starting a wiki section for
WebCrypto?
https://docs.webplatform.org/wiki/apis#List_of_all_APIs
yours,
harry
On 12/07/2014 01:20 AM, Jason Proctor wrote:
> On Fri, Dec 5, 2014 at 12:42 PM, Ryan Sleevi <sleevi@google.com> wrote:
>
> thanks for your response. much appreciated.
>
>> For RSA-OAEP, public keys support encrypt/wrap, private keys support
>> decrypt/unwrap.
>>
> well, now i can't break it. and given the amount of time i spent verifying
> the behaviour, this is frustrating and not a little embarrassing.
>
>
>> Wrapping/unwrapping the key or removing the usages from the JWK has zero
>> effect on these aspects, as they're encoded in the spec. You cannot use a
>> public key for decrypt (which, when you think about it, makes sense, as
>> then anyone in the world can decrypt) nor a private key for encrypt (for
>> the same reasons). If your system relies on anyone in the world being able
>> to decrypt with a public key, then what you've described is a signature,
>> not encryption.
>>
> absolutely. which is why i was so surprised at the behaviour.
>
>>> another significant issue i ran into was that RSAES-PKCS1 is no longer
>> supported. this is unfortunate as there are a lot of such keys around.
>>
>> Yes, but with the possible exception of TLS, and only in special,
>> carefully crafted cases that few have ever gotten right, they are all
>> insecure.
>>
>> So I don't lose sleep on the lack of support for them.
>>
> fair enough. rather naively i was hoping to import PKCS1 keys and export
> them as OAEP or something, but i accept that it's not necessarily the web
> crypto API's mission to help people migrate their keys.
>
>>> and the last issue (for now, grin) is that it seems i can make an RSA
>> pair for encrypt/decrypt or sign/verify but not both. really? i remember
>> the bad old days in pre-Bouncy Castle JCE, where i had to have both RSA and
>> DSA keys due to similar artificial restrictions.
>>
>> This isn't artificial. This is because the mathematical operations
>> employed make it absolutely fatal for ANY cryptosystem to mix and match
>> these. If you are using the same key for enc/dec as you are for
>> sign/verify, then you have designed a system that is fundamentally insecure
>> and broken.
>>
> consider me educated. i assume that this is because you don't want
> something signed with your "decrypting" private key floating around,
> exposed to brute-force? are there other reasons?
>
> thanks for all the help
> Jason
>
Received on Sunday, 7 December 2014 11:24:54 UTC