- From: Martin Thomson <notifications@github.com>
- Date: Tue, 25 Nov 2014 13:56:10 -0800
- To: w3c/push-api <push-api@noreply.github.com>
- Message-ID: <w3c/push-api/pull/89/c64478035@github.com>
This is a good start, but it isn't quite complete. The spec also needs to define what key usage the keys will have, and what types they will include. The key usage is simple. We are minting a new key usage for WebRTC that has similar properties. See w3c/webrtc-pc#28 for details. I think that the right thing here is to define a "webpush" key usage with similar properties to the "webrtc" usage: i.e., you can look at the public key, but it is otherwise unusable by the web application. The type or (algorithm, to be more precise) is harder. Restricting this to any key usage that would ordinarily be good for the "decrypt" operation seems like the obvious choice, but in practice, the "deriveBits" operation is a better choice. In WebCrypto terms, that means enabling ECDH and (Finite-Field) Diffie-Hellman. Picking the one true algorithm that everyone has to implement is hard, because not only does it include that choice, but it includes groups or curves, plus symmetric protection as well. --- Reply to this email directly or view it on GitHub: https://github.com/w3c/push-api/pull/89#issuecomment-64478035
Received on Tuesday, 25 November 2014 21:57:02 UTC