Re: Will the WebCrypto API allow discovery/enumeration of certificates? from Ryan Sleevi on 2015-06-25 (public-webcrypto-comments@w3.org from June 2015)

From: Ryan Sleevi <sleevi@google.com>
Date: Wed, 24 Jun 2015 23:58:41 -0700
To: Jeffrey Walton <noloader@gmail.com>
Cc: WebCrypto Comments <public-webcrypto-comments@w3.org>
Message-ID: <CACvaWvZsfJkqUCu8A_NoWMRZgA=Qhrkn9XB0wnq+VnFXjcNr2g@mail.gmail.com>

On Wed, Jun 24, 2015 at 2:40 PM, Jeffrey Walton <noloader@gmail.com> wrote:
>
> Wouldn't the private key pose the same sort of information leaks?
>

The private key represents a strong fingerprint, and depending on who
provisioned it, MAY represent a public information leak (e.g. if you know
the private key was issued by a particular government entity, you can look
up the public key for that private key and, from there, find the associated
certificate)

But unquestionably the certificates represent additional information above
and beyond that of the key, and that's just not acceptable.

Received on Thursday, 25 June 2015 06:59:09 UTC