On Thu, Oct 24, 2013 at 12:36 PM, Mountie Lee <mountie@paygate.net> wrote: > Hi. > from the members of WebCrypto WG, > different views of key-ownership are exist. > > if the key is owned by USER, helpcrypto's comment has meaning. > > if the key is owned by key provisioner (normally servers), Ryan's comment > has meaning. > > at least, I think the key should be owned by user. (means fully controlled > by user not server side) > > the server can initiate crypto operations but > user consent is required for important operations (like signing) . > > just different view. both are correct. > > current draft is not based on user ownership. > > regards > mountie. > Hi mountie *IIUC, Webcrypto does not care/think about "users using the Javascript API to sing using their keys"?* As always IMHO, this standard should include getKey function i exposed before, without loosing any validity, but increasing Webcrypto usability (hope I used the proper english words) *I really encourage WG to consider this scenario, if not done already:* Users using their certificates (installed in NSS/smartcard/whatever i dont care, but recovered using "getKey" function) to sign "things" using Webcrypto .sign function. If getKey has a keystore/filter feature or not, that is another story (ill vote yes!) Having this in mind, importKey and exportKey could be removed from draft (generateKey should still be neccesary, including a keystore param to choose which keystore to use) As said before, i appreciate your valuable responses, and im sure your are doing your best regarding this lack of end-user crypto standards (probably there are too many but *none focused on the user*, so no one worked) Thank you all again for your answers.
Received on Thursday, 24 October 2013 11:33:44 UTC