- From: Harry Halpin <hhalpin@w3.org>
- Date: Mon, 27 May 2013 23:33:23 +0200
- To: Christine Runnegar <runnegar@isoc.org>, GALINDO Virginie <virginie.galindo@gemalto.com>, public-privacy@w3.org
Although its a bit early, we'd like to give a quick scheduling notice that we'd like a review of the Web Cryptography API spec and These drafts are not quite ready to ship for a thorough review, expect that to happen in June - although we wanted to get on your schedule - as Christine alerted to use earlier how quickly it fills up. Just quick head's up on some interesting issues as regards privacy: 1) Currently to avoid privacy problems in the Web Cryptography API [1] , the API stores and accesses keys using "structured clone" to give them the same lifetime guarantees as cookies. I.e. so users can "clear" them and prevent keys being equivalent to super-cookies, without binding the keys to any particular storage mechanism. Instead, we assume vendors will use the best-of-breed and so may even call out to OS key stores, but without user losing control. 2) Keys are set to be same origin, again following cookies. Private key material can be controlled by the domain if its set to extractable. Otherwise, all key operations use key handles. We hope this satisfies some privacy constraints. No mandatory user-interaction is currently specified for handling key generation/import/export. 3) There is nonetheless the need for discovering "pre-provisioned" keys for some use-cases, and this is currently in a separate document due to discussions around privacy called the "Web Discovery" document [2]. Again, no user-interaction is currently specified for pre-provisioned keys. One use-case has the keys stored in hardware, and there are currently discussions around keys that could be stored in software (for better authentication use-cases as needed in some e-commerce scenarios) or in removable hardware (eID use-cases). Those interested in providing early feedback can cc public-webcrypto-comments@w3.org, but be aware the drafts may - and *will* - change. We hope to get you a stable version by June. cheers, harry [1]https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html [2]https://dvcs.w3.org/hg/webcrypto-keydiscovery/raw-file/tip/Overview.html
Received on Monday, 27 May 2013 21:33:35 UTC