Re: WebCrypto Key Discovery Draft from Jeffrey Walton on 2013-04-22 (public-webcrypto-comments@w3.org from April 2013)

From: Jeffrey Walton <noloader@gmail.com>
Date: Sun, 21 Apr 2013 23:58:15 -0400
To: Anders Rundgren <anders.rundgren@telia.com>
Cc: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CAH8yC8mrPrgYEv_m7zKpR451jQsEqHWU+ffbbUatxvfMcmid0Q@mail.gmail.com>

On Sun, Apr 21, 2013 at 11:29 PM, Anders Rundgren
<anders.rundgren@telia.com> wrote:
> http://www.w3.org/TR/2013/WD-webcrypto-key-discovery-20130108/
>
> Since there are no standards for provisioning "named origin-specific keys", this draft relies on specifically adapted UAs.
> There's absolutely nothing wrong with that but I honestly do not see that you need a _standard_ for such use-cases.
>...

*****

This is troubling (use of the word MAY):

Blocking access to named origin-specific pre-provisioned keys

    User agents may restrict access to
    named origin-specific pre-provisioned
    keys to scripts originating at the domain
    of the top-level document of the browsing
    context, for instance returning empty key
    search results for pages from other
    domains running in iframes.

Under what conditions/circumstances may it (or may it not) restrict
access? HTTPONLY flag? Should there be another flag? Should key
operations only be available on HTTPS connections? How would a site
takes a defensive posture so the key is only available on the login
page, but not other pages (once the key is used to authenticate)? Or
can the key be used for authorization at the transaction level?

Why is it pre-provisioned keys? Wouldn't the concerns (and abuses)
apply to other UA reachable keys as well?

*****

What doe STRONGLY mean?

Treating named origin-specific pre-provisioned keys as cookies

    User agents should present the named
    origin-specific pre-provisioned keys
    feature to the user in a way that associates
    it strongly with HTTP session cookies.

*****

This does not work in practice. The user will not make an informed decision:

Origin-tracking of named origin-specific pre-provisioned keys

    ... If this information is then used t
     present a view of pre-provisioned keys
    to the user, it would allow the user to
     make informed decisions about
     authorizing sites to make use of keys.

*****

Need to hear more about the blacklists.... Is it used in place of
explicit expiration or revocation? What's its format? How is the info
shared?

Jeff

Received on Monday, 22 April 2013 03:58:42 UTC