- From: Samuel Erdtman <samuel@erdtman.se>
- Date: Thu, 12 Sep 2013 02:18:49 +0100
- To: "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
- Message-ID: <CAF2hCbafKdmsMsiWMVYRykFXGBW8c7SYd1K4bDYSfH6joVcttQ@mail.gmail.com>
Hi I´m reading the discussion on Non-extratability of keys and find it very interesting. I do not get all the details and have not read all the historical mails between Mark and Ryan. But here is how I would like to use non-extractable keys. == Asymmetric keys Usage == * User wants a key (and a certificate for the key) * Javascript asks WebCrypto to generate an asymmetric key that should not be possible to extract * After generation JavaScript creates a P10 request with PoP(with data from the user or data pre-configured for the user form the server) * The user enters some kind of authentication data * The authentication data and the P10 request is sent to the RA either with CORS if the RA is not hosting this page or directly if RA hosting the page. * The reply contains a certificate for the key. The certificate could be stored in Localstorage or IndexDB. * Now my site have a key and a certificate I could now create a signing service and an API over PostMessage and sell signatures to other sites. * Other sites would load me and send me a message asking for a signature * I would ask the user I he wants to sign the message or reject it. Here I could also add some additional checks like password/pin to allow for two factor authentication or signatures for more sensitive data (Anders might like that) * The signature returned would be packaged as P7, XMLDigSig or JWS depending on the requesting service. (if desired we could do encryption too)(another scenario here is that the site needing signatures generates the key and requests a certificate over CORS then I would sell certificates) == Symmetric keys == This is similar usage but the provisioning has to be a bit different * User wants a key * JavaScript asks WebCrypto to generate a symmetric non-extractable key * Either We could wrap this key with a key derived form a password or with a asymmetric key loaded from the server (then we would have to identify the key from the server in some way) * WebCrypto is asked to wrap the key * The wrapped-key is sent to the server directly or through CORS * Now I can use this key for generating OTPs or encrypting data * I would expose this to other services through a PostMessage API just as for asymetric keys * OTPs could be used in offline cases. (this scenario could easily be turned around and have the server generate the key and unwrap it in the client) I want to protect my self from ever having the key touched directly by a javascript that might have been compromised. Sure if compromised the attacker could create a signature oracle but not steel the keys. I would also prefer keys not sent over the wire in clear text not even over TLS. If the browser now stores the key in a secure way e.g. some form of crypto hardware I could almost claim non-repudiation for this service. If the key is extractable one could steel it by compromising my site if it is not extractable it is not possible to steal without compromising the browser and preferable not even then (hardware). Of course cloning between sites could not be allowed to give this properties. Hope this gave some insight on how I would like to use this at least and what requirements it puts on the API. Best Regards //Samuel Erdtman
Received on Thursday, 12 September 2013 01:19:17 UTC