- From: <bugzilla@jessica.w3.org>
- Date: Wed, 21 May 2014 00:10:06 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25721 --- Comment #16 from Tom Lowenthal <me@tomlowenthal.com> --- These concerns are not based on a misunderstanding. Instead, they are only considered unrealistic because of an overly-contrained formal threat model which is manifoldly incompatible with plausible threats. I also formally object to the inclusion of extractable keys as a required component of this API. My objection could be mitigated by normatively recommending that browsers engage in user-interaction both when generating an extractable key and when it is requested that such a key be exported. A normative description of additional API parameters In addition, a non-normative recommendation should be given than web applications which request the generation of an extractable key check to see whether the key generated in this way has the extractabe flag. This would allow for the UA behavior of allowing a generation request for an extractable key to be resolved with a non-extractable key if the user chooses. I think that browsers' user prompts for location information are a completely appropriate basic model for these types of requests. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Wednesday, 21 May 2014 00:10:08 UTC