W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2014

[Bug 25815] Spec encourages unsafe handling of secret data for JWK import of RSA/ECC keys

From: <bugzilla@jessica.w3.org>
Date: Mon, 19 May 2014 20:38:11 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25815-7213-pxOEKMAzr6@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25815

--- Comment #1 from Ryan Sleevi <sleevi@google.com> ---
On the Chromium side, we've encountered a number of issues where the
inconsistency between DataError and OperationError has been difficult to
ascertain in a UA that defers cryptographic operations to another library (eg:
NSS, OpenSSL).

Equally, the distinction between OperationError and DataError does not seem to
be consistently applied.

For example, in the case of RSA, inconsistent message sizes result in
OperationError, whereas in AES, they're DataError. In ECDH derivation, if an
invalid public key is specified (eg: perhaps its parameters are hostile towards
the private key / on an invalid point) it's an OperationError. AES-GCM
Decryption Failure is an OperationError (even though it's the data that is
invalid for the tag)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Monday, 19 May 2014 20:38:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC