- From: Ryan Sleevi <sleevi@google.com>
- Date: Tue, 2 Jul 2013 21:41:09 -0700
- To: Yoshi Huang <allstars.chh@mozilla.com>
- Cc: public-webcrypto-comments@w3.org
- Message-ID: <CACvaWvbn1bj6MKVobFTTrojmm7GOG4kBRWeaYcuTs7H0GFSwgA@mail.gmail.com>
SPKI is Subject*Public*KeyInfo, so no. PKCS#12 just holds PKCS#8 key blobs. So you would write your own PKCS#12 parser to read the different bags, then import the decrypted PKCS#8 key. The goal is to avoid requiring the UA to support PKCS#12 natively, much in the same way it tries to avoid requiring JWE support or any other key transport specific protocols. Do that in content, not the UA, same as you do today with existing APIs. On Jul 2, 2013 9:30 PM, "Yoshi Huang" <allstars.chh@mozilla.com> wrote: > Hi Ryan, > > Sorry for not asking question clearly. > > The keys could be encrypted pkcs8 or pkcs12 > Also does the 'spki' in KeyFormat includes pkcs12 ? > > And thanks for your detail explanation. > > > On 07/03/2013 01:55 AM, Ryan Sleevi wrote: > >> Could you explain which keys you're thinking of? >> >> The spec indicates that "pkcs8" is a PrivateKeyInfo, not an >> EncryptedPrivateKeyInfo, from RFC 5208. >> >> If you had a passphrase protected EncryptedPrivateKeyInfo, you would >> do the same thing you do in other APIs - you would prompt the user for >> the passphrase, apply it through PBKDF to derive the key, then decrypt >> the PrivateKeyInfo to be able to import it. >> >> This is the same workflow for the JWE-protected JWK, which is that the >> API tries to avoid baking in knowledge of specific protocols or >> higher-level key formats (whether CMS or JOSE), and instead focus on >> primitives and the security boundary therein. This has been quite >> suitable for a variety of well-used, long successful APIs. >> >> >> -- > Yoshi Huang, Mozilla Taiwan > allstars.chh@mozilla.com > >
Received on Wednesday, 3 July 2013 04:41:36 UTC