- From: Ryan Sleevi <sleevi@google.com>
- Date: Thu, 16 Aug 2012 10:45:47 -0700
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
On Wed, Aug 15, 2012 at 9:48 PM, Anders Rundgren <anders.rundgren@telia.com> wrote: > I have personally never seen a system where "extractable" means that a remote > server may read local private keys. Extractable in my book means that the user > may through an OS/Browser-defined mechanism export such keys in for example > PEM or PKCS #12 format. That's because there has never been a system that seeks to expose an API to web applications, as our charter clearly states. Extractable in the low-level API means the same thing as extractable for native applications - that the application executing (in this case, content script running on the user's local machine, supplied by a remote server) has access to the raw key material. > > If private keys are to be exchanged between a user-agent and service, the current > practice is to encrypt them. This makes the representation of their raw format > essentially a no-issue, or to be more correct, it is delegated to the wrapping layer. I fundamentally disagree with this assertion, and would cite PKCS#8 vs PKCS#12 as an example of where the representation of formats remains an important issue.
Received on Thursday, 16 August 2012 17:46:15 UTC