W3C home > Mailing lists > Public > public-webcrypto-comments@w3.org > February 2014

Extractable Keys

From: Matthew Tamayo <matthew@kryptnostic.com>
Date: Mon, 3 Feb 2014 19:15:29 -0800
Message-ID: <CANBFrYwVQx2qFwH1N_xpfa=AHP+z1wUiWWPw_TxWbvA8XAisMQ@mail.gmail.com>
To: public-webcrypto-comments@w3.org
A fellow developer point me at the Web Crypto API draft, when I was looking
into whether it would be possible to have the browser execute some key
generation process that would allow use of a secret key for encryption /
decryption, but would not allow that key to be extracted and sent elsewhere
with a Javascript call. I was wondering if the "Key.extractable" property
in section 11 was intended for that purpose.

The specific scenario I am interested in is if a bad actor is able to
compromise a website to deliver bad JS that attempts to extract they keys
and send them to their own server, whenever a user visits what is otherwise
a functional and previously safe site.

It would be very useful for a site to be able to generate a key, which is
could use via a handle like interface, but the site is unable to read the
contents of the keys.

Received on Tuesday, 4 February 2014 12:53:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:03:27 UTC