W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2014

[Bug 25711] Not clear if keys persist across sessions

From: <bugzilla@jessica.w3.org>
Date: Thu, 15 May 2014 13:44:46 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25711-7213-F6XXItDVQg@http.www.w3.org/Bugs/Public/>

--- Comment #2 from Kelsey Cairns <kelsey.cairns@inria.fr> ---
So I guess the larger problem is not so much confusion at the level of how
behaves. In my mind it's branching into two new directions which should
possibly be different bugs. 

I still need to think about the how-keys-behave direction. But the
lack-of-clarity direction is more a matter of discrepancy between the actual
API spec and what the use cases and structure would lead one to think. 

If you want an example of what I'm thinking, consider the word "import" with
respect to keys. There are many possible interpretations here, but it seems to
me that a very natural one suggests transferring a key from the outside world
into some local storage for many keys. The semantics WebCrypto has chosen is
different in that the container into which a key is imported is more of a
wrapper -- something that holds a single key in a way to make it useable with
the rest of the API. Both interpretations make sense; The chosen language
(import/export) doesn't imply that we're *not* talking about a general

Okay. So the phrase "agnostic to underlying key storage mechanism" is near the
top of the spec somewhere. Really, anyone who reads that shouldn't be confused
by the import/export language.

Now consider all the use cases. The first use case mentioned dives into a
description that very implies that users can authenticate in later sessions.
The phrase "proving that the user has access to some secret keying material"
implies persistent keys. The use cases continue, suggesting (and even relying
on) persist storage but glossing over the details.

So all in all, here's my conclusion: yes, the API specifically states how keys
work. But the surrounding language and discussion aren't consistent with what
is specified by the API and what is out of scope. Given that it's an English
language document and its readers are humans, I think this might be one of the
things causing so much general confusion.

You are receiving this mail because:
You are on the CC list for the bug.
Received on Thursday, 15 May 2014 13:44:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC