- From: <bugzilla@jessica.w3.org>
- Date: Wed, 30 Apr 2014 17:15:11 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25385 --- Comment #8 from David Dorwin <ddorwin@google.com> --- (In reply to GEXIN1984 from comment #5) > I just think the Webcrypto has already provide a method, if reused here, it > maybe simpler for specification. The same level of security as Clear Key could be provided by WebCrypto, but that would introduce an additional path and set of APIs. > However, if my proposal is too complex, provide a public key to encrypt the > simple key can also work, I think. But what I want to emphasize is that the > plain text content key should not be available in JS environment. That is > the main issue. The UA may decrypt the content key using the private key > and then directly pass it to the simple key CDM. Then the content key is not > exposed to the JS. Where does the public key come from? How does the license server know that it wasn't generated in JavaScript? (In reply to GEXIN1984 from comment #7) > (In reply to David Dorwin from comment #4) > > Actually, I don't think there is any additional security since JavaScript > > (or anything else) could have provided the public key. > What do you mean by JavaScript provided the public key? the WebCrypto API? > But by using this API, the content key decrypted is still exposed to JS, so > it is not secure. So I propose to integrate the WebCrypto API with EME by > passing the encrypted content key directly to the simple key CDM. Is your goal to make the content key inaccessible to the user from JavaScript? While WebCrypto can be used to accomplish this, there is nothing that enforces this. The user could bypass the WebCrypto calls and provide a fake public key that the user can then use to decrypt the content key. Without some more complex mechanism, there is no way to determine that the public key came from the UA. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Wednesday, 30 April 2014 17:15:12 UTC