Re: Unique identifiers and WebCrypto

Mark
I certainly agree that support for pre-provisioned keys (symmetric/otherwise) is a large-part of the expectations from people interested in delivering content to devices.
However, the user authorization of keys that come embedded in the device (at manufacturing time or delivered through a trusted means – out of scope) should be handled in a user-friendly way. Best case scenario is, the user is NOT asked for permission on such devices (user has no clue what a 'key' is and what this identifier is, and what they are authorizing). Rather the browser can rely on a configuration file present on the device.
When we are talking about pre-provisioned keys on hardware tokens accessed from other platforms, we need to be clear about a chicken-n-egg situation for permissions. The web application cannot ask for a permission to access a key that it does not know exists. So, the browsers need to let the web app know that certain keys exist with the user (though they cannot perform any operation on them). So, the wording around how browsers let the web apps know of the existence of a key should be made clear.

Thanks,
Seetharama


On 11/2/12 8:39 AM, "Mark Watson" <watsonm@netflix.com<mailto:watsonm@netflix.com>> wrote:

Web & TV group,

Earlier in the week we discussed requirements for unique identifiers for devices in the context of premium video services.

Within the WebCrypto group we discussed the idea of pre-provisioned symmetric cryptographic keys and the association of unique identifiers with these keys. This is based on a proposal from Netflix to address our requirements for secure binding of application protocol to devices, particularly on TVs, BluRay Players etc.

The latest proposal for this is available here: http://lists.w3.org/Archives/Public/public-webcrypto/2012Nov/0014.html

One question in the WebCrypto WG discussion was whether there were others who shared this requirement ? Since we discussed this in the Web & TV group I am posing the question to this list. Note that the possibility for UAs to support pre-provisioned keys is agreed in the WebCrypto group. The issue at hand is whether there should be a standard way to expose a unique identifier associated with such keys.

If you have comments or questions on the proposal please send them to the WebCrypto list, particularly if the proposal does or does not meet your requirements (public-webcrypto@w3.org<mailto:public-webcrypto@w3.org> if you are a member or public-webcrypto-comments@w3.org<mailto:public-webcrypto-comments@w3.org> if not). This issue will be decided at the next WebCrypto call on 11/19.

Best regards,

Mark Watson
Netflix

Received on Monday, 5 November 2012 22:21:21 UTC